Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report WcHO1ZGiIn

Overview

General Information

Sample Name:WcHO1ZGiIn (renamed file extension from none to exe)
Analysis ID:432864
MD5:c7b10eb81f543debd7092703917cf6e5
SHA1:cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
SHA256:aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
Infos:

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Matiex Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Beds Obfuscator
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • WcHO1ZGiIn.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\WcHO1ZGiIn.exe' MD5: C7B10EB81F543DEBD7092703917CF6E5)
    • Serwices.exe (PID: 6792 cmdline: 'C:\Users\user\AppData\Local\Temp\Serwices.exe' MD5: CF1048A8362B93B9CDF47260B50D8F37)
      • WerFault.exe (PID: 7032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
    00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
              4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
                  4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 43 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeReversingLabs: Detection: 65%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%Perma Link
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: WcHO1ZGiIn.exeJoe Sandbox ML: detected
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: unknownDNS traffic detected: queries for: mmeetalss.000webhostapp.com
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0c
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0=
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://us-east-1.route-1.000webhost.awex.io
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTz
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comq
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comy
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapT
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe
                      Source: WcHO1ZGiIn.exeString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp, Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EC0140_2_025EC014
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9F80_2_025EE9F8
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9EA0_2_025EE9EA
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A30080_2_072A3008
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: WcHO1ZGiIn.exe, 00000000.00000000.208020059.0000000000378000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevmware.exeH& vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300050752.0000000007AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211424744.000000000558D000.00000004.00000001.sdmpBinary or memory string: 0s.slnt
                      Source: classification engineClassification label: mal84.troj.evad.winEXE@4/5@2/2
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6792
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to behavior
                      Source: WcHO1ZGiIn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Source: unknownProcess created: C:\Users\user\Desktop\WcHO1ZGiIn.exe 'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: WcHO1ZGiIn.exeStatic PE information: 0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025E1C58 push ebx; iretd 0_2_025E1C7A
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A01A8 push esp; ret 0_2_072A01C1
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91688767113
                      Source: WcHO1ZGiIn.exe, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: Serwices.exe.0.dr, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: Serwices.exe.0.dr, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 0.0.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 0.2.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to dropped file
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000Jump to behavior
                      Source: Serwices.exe.0.drBinary or memory string: CompanyNameVMware, Inc.P&
                      Source: Serwices.exe.0.drBinary or memory string: OriginalFilenamevmware.exeH&
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstmKRo
                      Source: Serwices.exe.0.drBinary or memory string: ProductNameVMware WorkstationP,
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Serwices.exeBinary or memory string: VMware, Inc.
                      Source: Serwices.exeBinary or memory string: vmware.exe
                      Source: Report.wer.7.drBinary or memory string: AppName=VMware Workstation
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
                      Source: Serwices.exe.0.drBinary or memory string: FileDescriptionVMware WorkstationL,
                      Source: Serwices.exe.0.drBinary or memory string: 1998-2021 VMware, Inc.@
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Serwices.exeBinary or memory string: 1998-2021 VMware, Inc.
                      Source: Report.wer.7.drBinary or memory string: OriginalFilename=vmware.exe
                      Source: WER4AC4.tmp.xml.7.drBinary or memory string: <arg nm="apporiginalfilename" val="vmware.exe" />
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstZ|L}X
                      Source: Serwices.exeBinary or memory string: VMware Workstation
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe' Jump to behavior
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Users\user\Desktop\WcHO1ZGiIn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Serwices.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion31LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      WcHO1ZGiIn.exe41%VirustotalBrowse
                      WcHO1ZGiIn.exe59%ReversingLabsByteCode-MSIL.Trojan.Fsysna
                      WcHO1ZGiIn.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\Serwices.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Serwices.exe66%ReversingLabsByteCode-MSIL.Spyware.Noon

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      us-east-1.route-1.000webhost.awex.io2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://status.rapidssl.com0=0%Avira URL Cloudsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.comy0%Avira URL Cloudsafe
                      http://www.carterandcone.comY0%Avira URL Cloudsafe
                      http://www.carterandcone.comq0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fonts.comW0%Avira URL Cloudsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      https://mmeetalss.000webhostapT0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://us-east-1.route-1.000webhost.awex.io0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.carterandcone.comTz0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us-east-1.route-1.000webhost.awex.io
                      		145.14.145.185
                      		truefalseunknown
                      mmeetalss.000webhostapp.com
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://status.rapidssl.com0=WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://mmeetalss.000webhostapp.comWcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                		high
                                http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0LWcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comeWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comyWcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comYWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comqWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tiro.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comWWcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.come.comWcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://mmeetalss.000webhostapp.comWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/cabarga.htmlNWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.monotype.WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://mmeetalss.000webhostapTWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.fontbureau.commWcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exeWcHO1ZGiIn.exefalse
                                                		high
                                                http://us-east-1.route-1.000webhost.awex.ioWcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://mmeetalss.000webhostapp.com/Serwices.exeWcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers8WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comTzWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fonts.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cnWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sakkal.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          145.14.145.185
                                                          		us-east-1.route-1.000webhost.awex.ioNetherlands
                                                          		204915AWEXUSfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:432864
                                                          Start date:10.06.2021
                                                          Start time:21:13:20
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 14m 57s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:WcHO1ZGiIn (renamed file extension from none to exe)
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:40
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal84.troj.evad.winEXE@4/5@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HDC Information:
                                                          • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                                          • Quality average: 29.4%
                                                          • Quality standard deviation: 39.8%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 14
                                                          • Number of non-executed functions: 3
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 93.184.220.29, 168.61.161.212, 184.30.21.144, 104.43.193.48, 52.255.188.83, 23.57.80.111, 20.82.209.183, 51.103.5.186, 93.184.221.240, 20.54.26.129, 92.122.213.247, 92.122.213.194
                                                          • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                          • Execution Graph export aborted for target Serwices.exe, PID 6792 because there are no executed function
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          21:14:22API Interceptor1x Sleep call for process: WcHO1ZGiIn.exe modified
                                                          21:14:23API Interceptor2x Sleep call for process: Serwices.exe modified
                                                          21:14:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          145.14.145.185https://bit.ly/2Bex4ksGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            us-east-1.route-1.000webhost.awex.ioPURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • 145.14.144.45
                                                            01_extracted.exeGet hashmaliciousBrowse
                                                            • 145.14.144.111
                                                            OyVPRUTe0s.exeGet hashmaliciousBrowse
                                                            • 145.14.144.197
                                                            hfrEZuBd5B.exeGet hashmaliciousBrowse
                                                            • 145.14.144.156
                                                            1Z4191ecDy.exeGet hashmaliciousBrowse
                                                            • 145.14.144.12
                                                            j6RwLGBzlz.exeGet hashmaliciousBrowse
                                                            • 145.14.144.66
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 145.14.144.32
                                                            WAnYq4Yh0Z.exeGet hashmaliciousBrowse
                                                            • 145.14.144.64
                                                            Z4uLK26mIK.exeGet hashmaliciousBrowse
                                                            • 145.14.145.148
                                                            nb3WueUqUD.exeGet hashmaliciousBrowse
                                                            • 145.14.144.105
                                                            04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exeGet hashmaliciousBrowse
                                                            • 145.14.144.143
                                                            04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exeGet hashmaliciousBrowse
                                                            • 145.14.144.2
                                                            6PKQHgSfco.exeGet hashmaliciousBrowse
                                                            • 145.14.144.105
                                                            OneNote.htmlGet hashmaliciousBrowse
                                                            • 145.14.144.102
                                                            ZKUR81PQIM.exeGet hashmaliciousBrowse
                                                            • 145.14.144.86
                                                            darkin.exeGet hashmaliciousBrowse
                                                            • 145.14.144.241
                                                            2021_03_09.exeGet hashmaliciousBrowse
                                                            • 145.14.144.250
                                                            dfbzXONkPM.exeGet hashmaliciousBrowse
                                                            • 145.14.145.225
                                                            0wTbI1V07f.exeGet hashmaliciousBrowse
                                                            • 145.14.144.210
                                                            i795zXB64c.exeGet hashmaliciousBrowse
                                                            • 145.14.145.83

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            AWEXUSAll Details.exeGet hashmaliciousBrowse
                                                            • 145.14.144.54
                                                            All the Documents and Details.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • 145.14.144.45
                                                            01_extracted.exeGet hashmaliciousBrowse
                                                            • 145.14.144.111
                                                            Additional documents required.pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            Kabyria El Arab-14326587.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            Kabyria El Arab-14326587.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            FedEx Receipt with Reference Code.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            OyVPRUTe0s.exeGet hashmaliciousBrowse
                                                            • 145.14.144.197
                                                            hfrEZuBd5B.exeGet hashmaliciousBrowse
                                                            • 145.14.144.156
                                                            1Z4191ecDy.exeGet hashmaliciousBrowse
                                                            • 145.14.144.12
                                                            j6RwLGBzlz.exeGet hashmaliciousBrowse
                                                            • 145.14.144.66
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exeGet hashmaliciousBrowse
                                                            • 145.14.144.210
                                                            Abusive email letter from your account.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 145.14.144.32
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.145.177
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.149
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            Additional documents.exeGet hashmaliciousBrowse
                                                            • 145.14.145.177

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9ad3c2pU82NQD.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            RFQ-sib.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.825.24532.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            090049000009000.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SWIFT COMMERCIAL DUTY 0218J.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            b7cgnOpObK.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Invoice 8-6-2021.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            090009000000090.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Invoice_OS169ENG 000003893148.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            00404000004.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            40900900090000.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            INVO090090202.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Yl6482CO6U.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            ZmZvKByoew.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            V2GC02n03l.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Serwices.exe_93af22b7c6936c1e8864515da72a114c413263e5_cb538d12_1b15506f\Report.wer
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):12010
                                                            Entropy (8bit):3.774565564979862
                                                            Encrypted:false
                                                            SSDEEP:96:cKBY1blUOaHoCKA+HxyrFpXIQcQvc6QcEDMcw3D7+BHUHZ0ownOgtYsH5Ef5BAKD:365CONJkHBUZMXCaK5/u7sWS274ItS8
                                                            MD5:5DAA7ECC705CD7DFB9CBF018ECDE97B1
                                                            SHA1:F46A6FB75438243DAE15455B18483478ED84B9A8
                                                            SHA-256:225C88C1C83DA91E88F36EBAA843756AF01AB7583A884E437AD7E8A43CD4AA24
                                                            SHA-512:BFDD484930711CB1FFB9F533878EC308CB63CFAEFB09299EE6DE2FCCCC91DCDF0A252F4A83E66AF4CDEF94279329AFFD7B7448E0106FD91E42871AB28A469E5C
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.7.8.5.8.4.7.0.6.6.5.2.8.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.7.8.5.8.4.7.1.8.2.1.5.2.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.6.e.8.2.2.1.-.9.7.0.4.-.4.2.6.6.-.8.5.0.d.-.6.4.8.0.0.5.3.6.0.1.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.0.5.5.b.f.5.-.c.6.1.1.-.4.2.d.3.-.a.7.7.5.-.b.e.9.5.d.a.e.b.e.2.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.r.w.i.c.e.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.m.w.a.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.8.-.0.0.0.1.-.0.0.1.7.-.1.c.1.8.-.4.9.4.2.7.8.5.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.5.9.c.1.5.1.2.c.7.6.9.4.f.9.f.a.b.8.4.8.8.f.2.9.4.7.5.e.9.2.0.0.0.0.0.9.0.4.!.0.0.0.0.6.7.f.2.3.a.5.9.9.e.4.a.5.4.a.2.f.3.c.e.1.2.1.9.9.8.4.4.5.e.1.2.c.9.7.b.a.
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER46DA.tmp.dmp
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 14 streams, Fri Jun 11 04:14:31 2021, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):173962
                                                            Entropy (8bit):4.082057247202298
                                                            Encrypted:false
                                                            SSDEEP:3072:wZ8M019jd+pUuKlaxaA9gIOgF5EJ0wUCgUA4uEdE4S:kR01CpU/G9RpDEJ/TjF52
                                                            MD5:9C8F47B83F268474E818DA5ACE982FF2
                                                            SHA1:F41755213227525E94F452F2B81FDC930C451DE1
                                                            SHA-256:F0325AC74642D469244F61D2547BDB6415D4512A5ADB731A0EBD91CAA9E7CE20
                                                            SHA-512:99C94E3F330598D7FDAFBC77F387A5817D3A1FE0833E46A3C52797F893A7D701A86C523BE2C91490D32F8E24458E1E147C7DA9714129A9036E8B69B8B30B32D7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: MDMP....... .......'..`...................U...........B..............GenuineIntelW...........T..............`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A27.tmp.WERInternalMetadata.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8426
                                                            Entropy (8bit):3.691768294096698
                                                            Encrypted:false
                                                            SSDEEP:192:Rrl7r3GLNicd6f6Y3R66EgmfZyZSACpra89be2sf0Uqm:RrlsNiG6f6Ys6EgmfsZSLeVfh
                                                            MD5:FB0677DEBD76EB2BCEAF2ED1178995DF
                                                            SHA1:E6666F89FE4D01824C3CDF32171B0CC0E8E9E4E7
                                                            SHA-256:11099575EAA1A33756986BF3EC35E8D712AF52A2F76D70540538CB6317738AF4
                                                            SHA-512:CDA4FDBBB519F41A5F70C43BF4AC8113387E39D83B3F023651C6BE5CD37768E1ACFA3D4BE9F9ACE10B930DA607F70BE4C749B1B089A5EA591EBC2180367D50EA
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.9.2.<./.P.i.d.>.......
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AC4.tmp.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4769
                                                            Entropy (8bit):4.467016938878392
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwSD8zsDQ+JgtWI96cWSC8BV8fm8M4JRuJ7Z9prFf3+q8vvJ7Z9p7QbLCtd:uITfDndVSNYJmHpB3KRHp74LCtd
                                                            MD5:99C00274635D1060D1F6D7DBDD56940B
                                                            SHA1:6264B67C73AAC31E63B86E0820786C1C81A13F1D
                                                            SHA-256:3A3E92B8E574BCB6EF773CD966D196E4789A28E55019ED47689589263260A8A8
                                                            SHA-512:4ADAFA97E98D203309DD16FE5D11C94AC71EAA51D5CD7F9609F92419E363A5099F732B1F91AD015995ED2C4D1D7F4443E4CAE8849E59164DC6C157529DA06281
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1028965" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                            C:\Users\user\AppData\Local\Temp\Serwices.exe
                                                            Process:C:\Users\user\Desktop\WcHO1ZGiIn.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):795648
                                                            Entropy (8bit):7.913350326783711
                                                            Encrypted:false
                                                            SSDEEP:12288:wZJ5gK0I2omOHu1/CQ8tl//tR05iIm5Cqz7cQuBcTex:s6KlifUQ8bHtUm8qz7IBR
                                                            MD5:CF1048A8362B93B9CDF47260B50D8F37
                                                            SHA1:67F23A599E4A54A2F3CE121998445E12C97BA1BA
                                                            SHA-256:CB9CD8363620446C577396DD11CA16CD0AC377534C7A708CAC3F94CE6D898279
                                                            SHA-512:600B9B617BB409D3C00305CBF79E0D3E9DE5101C9A5BF5417C3FEA79378437D5837F0D2E2BC64F4098C584ADE1438B0A9E4E486E854870E5B91CFB584F2F3258
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                            Reputation:low
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................P..............9... ...@....@.. ....................................@..................................8..K....@.......................`.......8............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H........@...:......D...L{..Z............................................0..@.......+.(.:59(....8.....(.... .....9....&8....8........E........8....*:+.(..y\.(....*.B+.(6.j>~.......*...6+.(..!9~....*...0..B.......+.(._d(....8......(.... .....9....&8....8........E........8.....*..:+.(..f0.(....*.B+.(e..7~.......*...6+.(.LrV~....*...0..........+.((/4T ........8........E....f...+...u...........8a...*(.... .....:....&8....s.........8....s......... .....:....&8....s......... .....

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.272353284477175
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:WcHO1ZGiIn.exe
                                                            File size:19456
                                                            MD5:c7b10eb81f543debd7092703917cf6e5
                                                            SHA1:cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
                                                            SHA256:aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
                                                            SHA512:6aa867a242f0fdec77310e18ef09796ce3f56b6b60afd801f33148abe2c5d1ff0bac7824b6133ab7b8b7d479f1d7781e1ac8b30c29aea98562f93d8e83dbf39f
                                                            SSDEEP:384:IuVlhGV5r4e8H+3LgLzLrnUZMctVdLtLCmL9qJRRYff9vwEG9/XwJwq6uJfq2GSq:IuI5r4VeknXctRCy4RRR2GzNigP
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rt^...............0..B...........a... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x40611e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x60d00x4b.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x5e8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x60820x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x41240x4200False0.441761363636data5.48630335217IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x80000x5e80x600False0.42578125data4.1909894425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0x80a00x35cdata
                                                            RT_MANIFEST0x83fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2021
                                                            Assembly Version1.0.0.0
                                                            InternalNameWindowsFormsApp9.exe
                                                            FileVersion1.0.0.0
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameWindowsFormsApp9
                                                            ProductVersion1.0.0.0
                                                            FileDescriptionWindowsFormsApp9
                                                            OriginalFilenameWindowsFormsApp9.exe

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jun 10, 2021 21:14:19.525855064 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.681579113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.681726933 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.713035107 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.868745089 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870215893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870240927 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870256901 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870270967 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870285988 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870363951 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.875194073 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.032926083 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.086909056 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246254921 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246299982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246337891 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246366978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246402025 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246417046 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246442080 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246442080 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246480942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246488094 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246527910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246570110 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246582985 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246608019 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246655941 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402234077 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402275085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402309895 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402326107 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402345896 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402381897 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402394056 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402420044 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402462959 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402463913 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402503014 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402538061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402549028 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402573109 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402607918 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402618885 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402643919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402678967 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402688980 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402714014 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402755022 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402757883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402797937 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402831078 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402841091 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402865887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402901888 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402909040 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402937889 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402981043 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558526993 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558551073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558572054 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558589935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558604956 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558608055 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558621883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558629990 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558641911 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558657885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558659077 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558686018 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558689117 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558698893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558702946 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558712959 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558726072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558738947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558758020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558774948 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558792114 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558808088 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558820963 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558825970 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558847904 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558850050 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558866978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558883905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558901072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558902025 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558917999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558933973 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558937073 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558952093 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558958054 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558969975 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558990002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558995008 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559009075 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559025049 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559031963 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559042931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559060097 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559076071 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559082031 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559093952 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559109926 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559127092 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559135914 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559150934 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559170961 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559187889 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559189081 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559205055 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559221983 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559228897 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559257984 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.714880943 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714906931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714920998 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714932919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714948893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714965105 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714979887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714998007 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.714997053 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715013027 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715028048 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715033054 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715049982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715056896 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715065956 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715075970 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715082884 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715101004 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715110064 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715135098 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715140104 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715152025 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715167999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715187073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715199947 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715204000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715221882 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715221882 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715240955 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715260029 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715275049 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715282917 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715292931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715308905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715317011 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715326071 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715334892 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715344906 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715362072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715368032 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715379000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715398073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715404987 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715420961 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715436935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715454102 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715457916 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715471983 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715487003 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715496063 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715502977 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715519905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715534925 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715548992 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715549946 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715559959 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715565920 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715579033 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715584993 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715603113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715611935 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715620041 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715636015 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715646982 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715651989 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715667963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715676069 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715683937 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715701103 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.715723038 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.715759993 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871356010 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871401072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871440887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871465921 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871483088 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871521950 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871539116 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871562004 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871601105 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871612072 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871651888 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871685982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871726990 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871738911 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871766090 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871777058 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871805906 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871853113 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871854067 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871897936 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871936083 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.871948004 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.871973991 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872013092 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872020006 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872049093 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872087002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872102022 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872126102 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872173071 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872173071 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872217894 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872253895 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872263908 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872292995 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872330904 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872334957 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872368097 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872406006 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872416019 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872445107 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872490883 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872493029 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872535944 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872572899 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872580051 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872612953 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872651100 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872657061 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872687101 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872725964 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872731924 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872762918 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872807980 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872809887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872853041 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872889996 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872900963 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.872931004 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872970104 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.872977972 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.873008966 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873047113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873058081 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.873085976 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873131037 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.873138905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873182058 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873219013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873224020 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.873259068 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.873302937 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.028887987 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.028922081 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.028944969 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.028966904 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.028987885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029014111 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029041052 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029057026 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029062033 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029086113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029107094 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029114962 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029119015 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029129982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029150963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029165983 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029174089 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029198885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029207945 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029222965 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029243946 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029248953 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029261112 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029283047 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029297113 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029308081 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029330969 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029334068 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029352903 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029376030 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029397011 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029417038 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029437065 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029452085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029474020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029476881 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029500961 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029519081 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029522896 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029544115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029565096 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029573917 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029587030 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029607058 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029618025 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029627085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029649019 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029652119 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029665947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029686928 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029700994 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029706001 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029728889 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029736996 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029751062 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029777050 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029777050 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029800892 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029820919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029828072 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029843092 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029865026 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029874086 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029886961 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029907942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029911041 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.029930115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029958963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.029959917 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.030015945 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.188559055 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188616037 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188649893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188694954 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188736916 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188772917 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188808918 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188843966 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188879013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188914061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188950062 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.188952923 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.188994884 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189007998 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189033985 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189069986 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189090014 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189105988 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189116955 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189143896 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189171076 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189198971 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189234972 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189241886 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189270973 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189271927 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189306021 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189348936 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189352989 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189388037 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189421892 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189424038 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189460039 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189476967 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.189511061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189527035 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189547062 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189587116 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189606905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189640999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189677000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189711094 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189743996 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189778090 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189811945 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189853907 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189892054 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189925909 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189961910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.189996958 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190030098 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190063953 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190098047 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190133095 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.190140963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190180063 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.190181017 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190216064 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190228939 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.190252066 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.190411091 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.345937014 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.345968008 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.345980883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.345998049 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346009970 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346023083 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346035004 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346051931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346067905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346084118 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346100092 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346116066 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346133947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346152067 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346173048 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346189976 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346205950 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346223116 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346240997 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346257925 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346276999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346275091 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346292973 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346314907 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346324921 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346335888 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346344948 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346354961 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346368074 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346385002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346393108 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346405983 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346415997 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346427917 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346445084 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346445084 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346462011 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346477985 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346488953 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346498013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346514940 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346524954 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346533060 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346554995 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346559048 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346575022 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346592903 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346613884 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346621037 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346631050 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346647024 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346654892 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346663952 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346677065 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346682072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346703053 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346710920 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346720934 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346738100 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346754074 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346764088 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346771002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346788883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346796989 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346807003 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346822977 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346824884 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346846104 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346854925 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346864939 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346883059 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346896887 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346900940 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346918106 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346926928 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346936941 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346955061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346967936 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.346971989 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.346992016 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347002029 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347021103 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347038031 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347047091 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347054958 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347068071 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347080946 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347094059 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347094059 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347110033 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347134113 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347157955 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347170115 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347176075 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347193003 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347208023 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347223997 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347232103 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347244978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347251892 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347255945 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347264051 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347280025 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347287893 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347297907 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347306967 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347313881 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347330093 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347345114 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347354889 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347362041 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347382069 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347392082 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347399950 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347414970 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347418070 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347435951 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347443104 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347451925 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347466946 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347476959 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347486019 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347501993 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347522020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347529888 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347539902 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347556114 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347564936 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347572088 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347580910 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347589970 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347608089 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347624063 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347626925 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347640038 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347660065 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347670078 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347678900 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347693920 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347703934 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347711086 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347723961 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347728968 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347745895 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347755909 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347762108 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347778082 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347790956 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347798109 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347812891 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347815037 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347831964 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347847939 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347856998 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347863913 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347878933 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347893000 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347894907 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347910881 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347915888 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.347930908 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347949028 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.347949028 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.348017931 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.348165989 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.349737883 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.503689051 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503720045 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503731012 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503743887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503757000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503770113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503781080 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503794909 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503807068 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503818989 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503830910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503842115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503854990 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503854990 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.503869057 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503881931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503895044 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503905058 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.503909111 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503922939 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503937960 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503951073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503963947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503972054 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.503977060 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.503989935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504002094 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504003048 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504017115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504024029 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504029989 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504045963 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504048109 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504065037 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504079103 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504085064 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504086971 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504092932 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504106998 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504118919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504131079 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504143000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504156113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504163980 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504168034 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504194975 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504216909 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504223108 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504241943 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504254103 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504266024 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504278898 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504292965 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504292965 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504307032 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504319906 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504321098 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504336119 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504348040 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504352093 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504360914 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504375935 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504378080 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504388094 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504400015 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504410982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504424095 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504436970 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504448891 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504460096 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504475117 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504486084 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504498959 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504503965 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504512072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504525900 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504539013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504550934 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504554987 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504568100 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504585028 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504586935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504606009 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504607916 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504622936 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504640102 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504640102 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504653931 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504667997 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504673958 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504692078 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504709005 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504719973 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504739046 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504753113 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504755020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504771948 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504785061 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504787922 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504802942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504817963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504821062 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504831076 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504843950 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504846096 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504859924 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504872084 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504884958 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504897118 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504898071 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504909039 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504924059 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504933119 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.504935026 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504971027 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.504977942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505002975 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.505007982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505024910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505040884 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505055904 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505070925 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505074978 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.505101919 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.505125046 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.505778074 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.505953074 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505970955 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505981922 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.505994081 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506006002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506019115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506021976 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506030083 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506047010 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506059885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506068945 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506072998 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506094933 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506103992 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506123066 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506134987 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506139994 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506154060 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506166935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506171942 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506181002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506194115 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506206989 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506218910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506231070 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506232977 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506248951 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506258965 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506270885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.506279945 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506321907 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.506344080 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.507981062 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.661664963 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661720037 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661737919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661753893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661781073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661802053 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661824942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661845922 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661863089 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661894083 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.661896944 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661921978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661933899 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.661946058 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661959887 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.661967993 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.661990881 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.661993027 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662015915 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662035942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662044048 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662055969 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662074089 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662076950 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662098885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662120104 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662141085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662163973 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662185907 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662205935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662231922 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662252903 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662275076 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662297010 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662316084 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662339926 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662362099 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662381887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662401915 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662422895 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662436962 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662446976 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662470102 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662478924 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662489891 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662513018 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662524939 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662555933 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662579060 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662601948 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662606955 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662625074 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662645102 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662663937 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662664890 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662686110 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662705898 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662710905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662733078 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662734985 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662755013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662766933 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662777901 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662801027 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662815094 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662822008 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662846088 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662863016 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662877083 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662880898 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662898064 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662914038 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662919998 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662934065 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662938118 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662955999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662966967 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.662971020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.662987947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663002968 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663017035 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663017035 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663028955 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663043976 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663064003 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663074017 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663086891 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663089037 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663132906 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663141012 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663156986 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663172007 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663187981 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663198948 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663203955 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663219929 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663228035 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663233995 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663245916 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663256884 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663261890 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663276911 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663284063 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663294077 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663310051 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663311005 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663328886 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663336039 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663346052 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663362026 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663369894 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663377047 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663393974 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663403034 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663408995 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663424969 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663429022 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663438082 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663455009 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663470984 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663485050 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663486958 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.663500071 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663516998 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663533926 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663549900 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663563013 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663573980 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663588047 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663605928 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663621902 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663636923 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663651943 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663667917 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663681984 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663697004 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663712978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663731098 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663748026 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663764000 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663779020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663794994 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663809061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663824081 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:21.663949013 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664005041 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664007902 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664011002 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664012909 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664016008 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664017916 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664020061 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664021969 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664022923 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664025068 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664027929 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664030075 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:21.664133072 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:26.503714085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:26.503777981 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:26.503876925 CEST49730443192.168.2.3145.14.145.185

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jun 10, 2021 21:14:04.051471949 CEST6511053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:04.106400967 CEST53651108.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:04.893229961 CEST5836153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:04.943209887 CEST53583618.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:05.265923023 CEST6349253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:05.329279900 CEST53634928.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:05.830352068 CEST6083153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:05.883260965 CEST53608318.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:06.741235018 CEST6010053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:06.794199944 CEST53601008.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:08.078217030 CEST5319553192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:08.136753082 CEST53531958.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:09.372401953 CEST5014153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:09.422800064 CEST53501418.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:10.403006077 CEST5302353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:10.461813927 CEST53530238.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:11.502954960 CEST4956353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:11.564218998 CEST53495638.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:13.270251989 CEST5135253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:13.320274115 CEST53513528.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:14.110471964 CEST5934953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:14.160654068 CEST53593498.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:15.065490007 CEST5708453192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:15.116055012 CEST53570848.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:15.917059898 CEST5882353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:15.968802929 CEST53588238.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:17.128721952 CEST5756853192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:17.180223942 CEST53575688.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:18.163235903 CEST5054053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:18.216157913 CEST53505408.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.231982946 CEST5436653192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.282469988 CEST53543668.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.337354898 CEST5303453192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.411669016 CEST53530348.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.430387020 CEST5776253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.504928112 CEST53577628.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:20.184261084 CEST5543553192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:20.250989914 CEST53554358.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:21.093998909 CEST5071353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:21.153203011 CEST53507138.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:22.254842997 CEST5613253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:22.314357996 CEST53561328.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:23.148286104 CEST5898753192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:23.201273918 CEST53589878.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:31.792181015 CEST5657953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:31.843832970 CEST53565798.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:38.072204113 CEST6063353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:38.194169998 CEST53606338.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:41.569597960 CEST6129253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:41.639436960 CEST53612928.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.065572023 CEST6361953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.119738102 CEST53636198.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.299175024 CEST6493853192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.350433111 CEST53649388.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.458833933 CEST6194653192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.511607885 CEST53619468.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:13.783803940 CEST6491053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:13.862616062 CEST53649108.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:15.366724968 CEST5212353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:15.429522991 CEST53521238.8.8.8192.168.2.3

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Jun 10, 2021 21:14:19.337354898 CEST192.168.2.38.8.8.80xf17aStandard query (0)mmeetalss.000webhostapp.comA (IP address)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.430387020 CEST192.168.2.38.8.8.80xe7c4Standard query (0)mmeetalss.000webhostapp.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Jun 10, 2021 21:14:19.411669016 CEST8.8.8.8192.168.2.30xf17aNo error (0)mmeetalss.000webhostapp.comus-east-1.route-1.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.411669016 CEST8.8.8.8192.168.2.30xf17aNo error (0)us-east-1.route-1.000webhost.awex.io145.14.145.185A (IP address)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.504928112 CEST8.8.8.8192.168.2.30xe7c4No error (0)mmeetalss.000webhostapp.comus-east-1.route-1.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.504928112 CEST8.8.8.8192.168.2.30xe7c4No error (0)us-east-1.route-1.000webhost.awex.io145.14.144.201A (IP address)IN (0x0001)

                                                            HTTPS Packets

                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                            Jun 10, 2021 21:14:19.870256901 CEST145.14.145.185443192.168.2.349730CN=*.000webhostapp.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Jun 11 02:00:00 CEST 2019 Mon Nov 06 13:23:33 CET 2017 Fri Nov 10 01:00:00 CET 2006Sat Jul 10 14:00:00 CEST 2021 Sat Nov 06 13:23:33 CET 2027 Mon Nov 10 01:00:00 CET 2031769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                            CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 06 13:23:33 CET 2017Sat Nov 06 13:23:33 CET 2027
                                                            CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Nov 10 01:00:00 CET 2006Mon Nov 10 01:00:00 CET 2031

                                                            Code Manipulations

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: WcHO1ZGiIn.exe PID: 6304 Parent PID: 5824

                                                            General

                                                            Start time:21:14:11
                                                            Start date:10/06/2021
                                                            Path:C:\Users\user\Desktop\WcHO1ZGiIn.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
                                                            Imagebase:0x370000
                                                            File size:19456 bytes
                                                            MD5 hash:C7B10EB81F543DEBD7092703917CF6E5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: Serwices.exe PID: 6792 Parent PID: 6304

                                                            General

                                                            Start time:21:14:23
                                                            Start date:10/06/2021
                                                            Path:C:\Users\user\AppData\Local\Temp\Serwices.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                                                            Imagebase:0xee0000
                                                            File size:795648 bytes
                                                            MD5 hash:CF1048A8362B93B9CDF47260B50D8F37
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 66%, ReversingLabs
                                                            Reputation:low

                                                            Chronological Activities

                                                            Analysis Process: WerFault.exe PID: 7032 Parent PID: 6792

                                                            General

                                                            Start time:21:14:29
                                                            Start date:10/06/2021
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                                                            Imagebase:0x1110000
                                                            File size:434592 bytes
                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:high

                                                            Chronological Activities

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >

                                                              Analysis Process: WcHO1ZGiIn.exe PID: 6304 Parent PID: 5824 WcHO1ZGiIn.exeCOMMON

                                                              Execution Graph

                                                              Execution Coverage:11.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:132
                                                              Total number of Limit Nodes:8

                                                              Graph

                                                              execution_graph 16748 72a3008 16750 72a306d 16748->16750 16751 72a30ba 16750->16751 16752 72a1b0c 16750->16752 16753 72a3d68 DispatchMessageW 16752->16753 16754 72a3dd4 16753->16754 16754->16750 16770 25e40e8 16771 25e4104 16770->16771 16772 25e410c 16771->16772 16780 25e4240 16771->16780 16776 25e388c 16772->16776 16774 25e4157 16777 25e3897 16776->16777 16785 25e5b9c 16777->16785 16779 25e6b1d 16779->16774 16781 25e4265 16780->16781 16900 25e4330 16781->16900 16904 25e4340 16781->16904 16786 25e5ba7 16785->16786 16789 25e6bb8 16786->16789 16788 25e704d 16788->16779 16790 25e6bc3 16789->16790 16793 25e6be8 16790->16793 16792 25e7122 16792->16788 16794 25e6bf3 16793->16794 16797 25e6c18 16794->16797 16796 25e7222 16796->16792 16798 25e6c23 16797->16798 16799 25e76e9 16798->16799 16806 25e798a 16798->16806 16801 25e793e 16799->16801 16811 25e96f8 16799->16811 16800 25e797c 16800->16796 16801->16800 16815 25eb839 16801->16815 16822 25eb848 16801->16822 16807 25e7948 16806->16807 16808 25e797c 16806->16808 16807->16808 16809 25eb848 3 API calls 16807->16809 16810 25eb839 3 API calls 16807->16810 16808->16799 16809->16808 16810->16808 16828 25e971f 16811->16828 16832 25e9730 16811->16832 16812 25e970e 16812->16801 16816 25eb7e0 16815->16816 16817 25eb842 16815->16817 16816->16800 16818 25eb88d 16817->16818 16864 25eb9ea 16817->16864 16868 25eb9b5 16817->16868 16872 25eb9f8 16817->16872 16818->16800 16824 25eb869 16822->16824 16823 25eb88d 16823->16800 16824->16823 16825 25eb9ea 3 API calls 16824->16825 16826 25eb9f8 3 API calls 16824->16826 16827 25eb9b5 3 API calls 16824->16827 16825->16823 16826->16823 16827->16823 16836 25e981a 16828->16836 16844 25e9828 16828->16844 16829 25e973f 16829->16812 16833 25e973f 16832->16833 16834 25e981a 2 API calls 16832->16834 16835 25e9828 2 API calls 16832->16835 16833->16812 16834->16833 16835->16833 16837 25e983b 16836->16837 16838 25e9853 16837->16838 16852 25e9ab0 16837->16852 16856 25e9aa0 16837->16856 16838->16829 16839 25e984b 16839->16838 16840 25e9a50 GetModuleHandleW 16839->16840 16841 25e9a7d 16840->16841 16841->16829 16845 25e983b 16844->16845 16846 25e9853 16845->16846 16850 25e9ab0 LoadLibraryExW 16845->16850 16851 25e9aa0 LoadLibraryExW 16845->16851 16846->16829 16847 25e984b 16847->16846 16848 25e9a50 GetModuleHandleW 16847->16848 16849 25e9a7d 16848->16849 16849->16829 16850->16847 16851->16847 16853 25e9ac4 16852->16853 16855 25e9ae9 16853->16855 16860 25e8ba8 16853->16860 16855->16839 16857 25e9ab0 16856->16857 16858 25e8ba8 LoadLibraryExW 16857->16858 16859 25e9ae9 16857->16859 16858->16859 16859->16839 16861 25e9c90 LoadLibraryExW 16860->16861 16863 25e9d09 16861->16863 16863->16855 16865 25eb9f8 16864->16865 16866 25eba3f 16865->16866 16876 25ea52c 16865->16876 16866->16818 16869 25eb9c5 16868->16869 16870 25eb9cb 16869->16870 16871 25ea52c 3 API calls 16869->16871 16870->16818 16871->16870 16873 25eba05 16872->16873 16874 25eba3f 16873->16874 16875 25ea52c 3 API calls 16873->16875 16874->16818 16875->16874 16877 25ea537 16876->16877 16879 25ec738 16877->16879 16880 25ebd44 16877->16880 16879->16879 16881 25ebd4f 16880->16881 16882 25e6c18 3 API calls 16881->16882 16883 25ec7a7 16882->16883 16888 25ebd54 16883->16888 16885 25ec7cf 16893 25ee55c 16885->16893 16890 25ebd5f 16888->16890 16889 25ebff4 LoadLibraryExW GetModuleHandleW GetModuleHandleW 16891 25ed944 16889->16891 16890->16889 16892 25ed949 16890->16892 16891->16885 16892->16885 16894 25ec7e0 16893->16894 16895 25ee575 16893->16895 16894->16879 16897 25e96f8 LoadLibraryExW GetModuleHandleW GetModuleHandleW 16895->16897 16898 25ee9a3 LoadLibraryExW GetModuleHandleW 16895->16898 16899 25ee9b0 LoadLibraryExW GetModuleHandleW 16895->16899 16896 25ee5ad 16897->16896 16898->16896 16899->16896 16901 25e4367 16900->16901 16902 25e4444 16901->16902 16908 25e3cc4 16901->16908 16906 25e4367 16904->16906 16905 25e4444 16905->16905 16906->16905 16907 25e3cc4 CreateActCtxA 16906->16907 16907->16905 16909 25e53d0 CreateActCtxA 16908->16909 16911 25e5493 16909->16911 16755 25ebb10 16756 25ebb76 16755->16756 16760 25ec0d8 16756->16760 16763 25ec0c8 16756->16763 16757 25ebc25 16767 25ea58c 16760->16767 16764 25ec0d8 16763->16764 16765 25ea58c DuplicateHandle 16764->16765 16766 25ec106 16765->16766 16766->16757 16768 25ec140 DuplicateHandle 16767->16768 16769 25ec106 16768->16769 16769->16757 16912 25ec820 16913 25ec84e 16912->16913 16914 25ec91a KiUserCallbackDispatcher 16913->16914 16915 25ec91f 16913->16915 16914->16915

                                                              Executed Functions

                                                              Function 072A3008, Relevance: .4, Instructions: 396COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1096 72a3008-72a306b 1097 72a309a-72a30b8 1096->1097 1098 72a306d-72a3097 1096->1098 1103 72a30ba-72a30bc 1097->1103 1104 72a30c1-72a30f8 1097->1104 1098->1097 1106 72a357a-72a358f 1103->1106 1108 72a3529 1104->1108 1109 72a30fe-72a3112 1104->1109 1112 72a352e-72a3544 1108->1112 1110 72a3141-72a3160 1109->1110 1111 72a3114-72a313e 1109->1111 1118 72a3178-72a317a 1110->1118 1119 72a3162-72a3168 1110->1119 1111->1110 1112->1106 1123 72a3199-72a31a2 1118->1123 1124 72a317c-72a3194 1118->1124 1121 72a316a 1119->1121 1122 72a316c-72a316e 1119->1122 1121->1118 1122->1118 1125 72a31aa-72a31b1 1123->1125 1124->1112 1126 72a31bb-72a31c2 1125->1126 1127 72a31b3-72a31b9 1125->1127 1129 72a31cc 1126->1129 1130 72a31c4-72a31ca 1126->1130 1128 72a31cf-72a31ec call 72a1ac0 1127->1128 1133 72a31f2-72a31f9 1128->1133 1134 72a3341-72a3345 1128->1134 1129->1128 1130->1128 1133->1108 1135 72a31ff-72a323c 1133->1135 1136 72a334b-72a334f 1134->1136 1137 72a3514-72a3527 1134->1137 1145 72a350a-72a350e 1135->1145 1146 72a3242-72a3247 1135->1146 1138 72a3369-72a3372 1136->1138 1139 72a3351-72a3364 1136->1139 1137->1112 1140 72a33a1-72a33a8 1138->1140 1141 72a3374-72a339e 1138->1141 1139->1112 1143 72a33ae-72a33b5 1140->1143 1144 72a3447-72a345c 1140->1144 1141->1140 1148 72a33b7-72a33e1 1143->1148 1149 72a33e4-72a3406 1143->1149 1144->1145 1158 72a3462-72a3464 1144->1158 1145->1125 1145->1137 1150 72a3279-72a328e call 72a1ae4 1146->1150 1151 72a3249-72a3257 call 72a1acc 1146->1151 1148->1149 1149->1144 1184 72a3408-72a3412 1149->1184 1156 72a3293-72a3297 1150->1156 1151->1150 1165 72a3259-72a3277 call 72a1ad8 1151->1165 1161 72a3308-72a3315 1156->1161 1162 72a3299-72a32ab call 72a1af0 1156->1162 1163 72a34b1-72a34ce call 72a1ac0 1158->1163 1164 72a3466-72a349f 1158->1164 1161->1145 1178 72a331b-72a3325 call 72a1b00 1161->1178 1188 72a32eb-72a3303 1162->1188 1189 72a32ad-72a32dd 1162->1189 1163->1145 1177 72a34d0-72a34fc 1163->1177 1181 72a34a8-72a34af 1164->1181 1182 72a34a1-72a34a7 1164->1182 1165->1156 1191 72a34fe 1177->1191 1192 72a3503 1177->1192 1193 72a3327-72a332a call 72a1b0c 1178->1193 1194 72a3334-72a333c call 72a1b18 1178->1194 1181->1145 1182->1181 1198 72a342a-72a3445 1184->1198 1199 72a3414-72a341a 1184->1199 1188->1112 1205 72a32df 1189->1205 1206 72a32e4 1189->1206 1191->1192 1192->1145 1201 72a332f 1193->1201 1194->1145 1198->1144 1198->1184 1203 72a341e-72a3420 1199->1203 1204 72a341c 1199->1204 1201->1145 1203->1198 1204->1198 1205->1206 1206->1188
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299475132.00000000072A0000.00000040.00000001.sdmp, Offset: 072A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_72a0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: DispatchMessage
                                                              • String ID:
                                                              • API String ID: 2061451462-0
                                                              • Opcode ID: a7cc2b03af3103608960c7708d46fb1f294da9feb041cb1fe84d6252a5644b9b
                                                              • Instruction ID: b9b3ec9f4345bb74beec663229735ecaee25f99392487d87f9b86b428f9c7c2d
                                                              • Opcode Fuzzy Hash: a7cc2b03af3103608960c7708d46fb1f294da9feb041cb1fe84d6252a5644b9b
                                                              • Instruction Fuzzy Hash: DBF18FB0A1020AEFDB14DFA9C844B9DBBF1FF88314F158569E405AF266DB70E845CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025E9828, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 025E9A6E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: f4339dcb38568f2af88aaa2b9b30eb61fe9c2d279102485175fbb1158dee3b8e
                                                              • Instruction ID: 36c3804e89e7cd7d3ff22aeea3f7a2a5e7db51ec9129336d395d45a721c83b3c
                                                              • Opcode Fuzzy Hash: f4339dcb38568f2af88aaa2b9b30eb61fe9c2d279102485175fbb1158dee3b8e
                                                              • Instruction Fuzzy Hash: DC7124B0A00B058FDB28DF2AC05475ABBF5FF88214F00892EE49AD7A50DB35E805CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025E53C7, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 75 25e53c7-25e5491 CreateActCtxA 77 25e549a-25e54f4 75->77 78 25e5493-25e5499 75->78 85 25e54f6-25e54f9 77->85 86 25e5503-25e5507 77->86 78->77 85->86 87 25e5518 86->87 88 25e5509-25e5515 86->88 90 25e5519 87->90 88->87 90->90
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 025E5481
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 385aa3bf7d210b174fc00b8b2fb60c9ef0113ec4eaf1526f3aaa6e586a0d94b1
                                                              • Instruction ID: 70907b95c6611518ca1ed8994aa55a03ba5aa159ac8134b306cf85527008bb49
                                                              • Opcode Fuzzy Hash: 385aa3bf7d210b174fc00b8b2fb60c9ef0113ec4eaf1526f3aaa6e586a0d94b1
                                                              • Instruction Fuzzy Hash: D441F171C00619CFDB24DFA9C844BDEBBB1BF88308F20806AD509BB251DB756946CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025E3CC4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 58 25e3cc4-25e5491 CreateActCtxA 61 25e549a-25e54f4 58->61 62 25e5493-25e5499 58->62 69 25e54f6-25e54f9 61->69 70 25e5503-25e5507 61->70 62->61 69->70 71 25e5518 70->71 72 25e5509-25e5515 70->72 74 25e5519 71->74 72->71 74->74
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 025E5481
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 3eac1ea0f1b4cbe7a2e9db22d067f603e8ac6dc1b3e9c66a0cc61a1dd7ae9f1e
                                                              • Instruction ID: c3d836b9cc963446753b82a5b3662e9fdaf154fc816ed8a7baf74b9fc85ee6ad
                                                              • Opcode Fuzzy Hash: 3eac1ea0f1b4cbe7a2e9db22d067f603e8ac6dc1b3e9c66a0cc61a1dd7ae9f1e
                                                              • Instruction Fuzzy Hash: B5410271C00619CBDF24DFA9C844BCEBBB1BF48308F60846AD509BB251EB756945CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025EC13A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 97 25ec13a-25ec13e 98 25ec140-25ec1d4 DuplicateHandle 97->98 99 25ec1dd-25ec1fa 98->99 100 25ec1d6-25ec1dc 98->100 100->99
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025EC106,?,?,?,?,?), ref: 025EC1C7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 320e3f3f29437b0e8541296af8366685d0f886e934a31ff3ad00702719f569f6
                                                              • Instruction ID: 2453c3cd47fc67cf3ff21aa4f790449dab4a5109a2ed568eb7b00d0bfe821921
                                                              • Opcode Fuzzy Hash: 320e3f3f29437b0e8541296af8366685d0f886e934a31ff3ad00702719f569f6
                                                              • Instruction Fuzzy Hash: 5021E3B59002489FDB10CFAAD884ADEBBF8FB48324F14841AE955A7310C374A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025EA58C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 91 25ea58c-25ec1d4 DuplicateHandle 93 25ec1dd-25ec1fa 91->93 94 25ec1d6-25ec1dc 91->94 94->93
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025EC106,?,?,?,?,?), ref: 025EC1C7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 64c7b5e430b6743ba5ba716b78f14fc279d8eebdeb809143bbe58e9fa476d1f4
                                                              • Instruction ID: 5e0364a015d4c6fec1fb061ef2ab4d27fa01c4c0dc61a00519be1cf6b285330b
                                                              • Opcode Fuzzy Hash: 64c7b5e430b6743ba5ba716b78f14fc279d8eebdeb809143bbe58e9fa476d1f4
                                                              • Instruction Fuzzy Hash: CD21E5B59002089FDF14DF9AD984ADEBBF4FB48324F14845AE915B3310D374A954CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025E8BA8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 103 25e8ba8-25e9cd0 105 25e9cd8-25e9d07 LoadLibraryExW 103->105 106 25e9cd2-25e9cd5 103->106 107 25e9d09-25e9d0f 105->107 108 25e9d10-25e9d2d 105->108 106->105 107->108
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,025E9AE9,00000800,00000000,00000000), ref: 025E9CFA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: d9b72fcca5b40b9b859790c3d6b9e81ac768247d22d65999ef67ef3af6abf09d
                                                              • Instruction ID: 3010eb68da8148686b185dc88873e61cb26f911b35142c101e1135f90716eae7
                                                              • Opcode Fuzzy Hash: d9b72fcca5b40b9b859790c3d6b9e81ac768247d22d65999ef67ef3af6abf09d
                                                              • Instruction Fuzzy Hash: F01103B69002099FDB14DF9AC844ADEBBF4FB88324F10842AE51AB7200C375A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025E9A08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 111 25e9a08-25e9a48 112 25e9a4a-25e9a4d 111->112 113 25e9a50-25e9a7b GetModuleHandleW 111->113 112->113 114 25e9a7d-25e9a83 113->114 115 25e9a84-25e9a98 113->115 114->115
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 025E9A6E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 1d9e258943aa854174a78c3421768bfc375539c84e3ef0ad420ac13f4b48c266
                                                              • Instruction ID: a60adc64c11d2c71445f1a9f04cfccdac23cf48fb01770e70a11f17ac916283a
                                                              • Opcode Fuzzy Hash: 1d9e258943aa854174a78c3421768bfc375539c84e3ef0ad420ac13f4b48c266
                                                              • Instruction Fuzzy Hash: DA11DFB6D006498FCB24CF9AC844ADEFBF4AF88224F14855AD46AA7600C379A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 072A1B0C, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 117 72a1b0c-72a3dd2 DispatchMessageW 119 72a3ddb-72a3def 117->119 120 72a3dd4-72a3dda 117->120 120->119
                                                              APIs
                                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072A332F), ref: 072A3DC5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299475132.00000000072A0000.00000040.00000001.sdmp, Offset: 072A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_72a0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: DispatchMessage
                                                              • String ID:
                                                              • API String ID: 2061451462-0
                                                              • Opcode ID: 8e7782a58bfcd5af1e38227c7e82ef2617021a79cea07d566aa84946f562c4f5
                                                              • Instruction ID: e3ae2b36faabd420117768b81fce8a523c8a319dfd191632c043faa0f0656716
                                                              • Opcode Fuzzy Hash: 8e7782a58bfcd5af1e38227c7e82ef2617021a79cea07d566aa84946f562c4f5
                                                              • Instruction Fuzzy Hash: A211FEB1D14649DFDB20DF9AD844BDEBBF4EB48324F10886AE419B3600D378A544CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 072A3D60, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 122 72a3d60-72a3dd2 DispatchMessageW 123 72a3ddb-72a3def 122->123 124 72a3dd4-72a3dda 122->124 124->123
                                                              APIs
                                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072A332F), ref: 072A3DC5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299475132.00000000072A0000.00000040.00000001.sdmp, Offset: 072A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_72a0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID: DispatchMessage
                                                              • String ID:
                                                              • API String ID: 2061451462-0
                                                              • Opcode ID: 35bb30351314a1174fb23e995bfc598ced74835503ff3e69e8b6d06f94c29709
                                                              • Instruction ID: 7a702cd024683936767dfda85a82306c874b61551977b91da3cbafff406e45c9
                                                              • Opcode Fuzzy Hash: 35bb30351314a1174fb23e995bfc598ced74835503ff3e69e8b6d06f94c29709
                                                              • Instruction Fuzzy Hash: E911F2B5D04689DFCB10DF9AD844BDEBBF4EB48324F10881AD469B7600D778A545CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C4D1D4, Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293068825.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c4d000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 983de6c32fa364668d15dc121f1e8003cf0938ae379b0561d143e145046c7eb2
                                                              • Instruction ID: e1ac18efbb94dde468fec4431df74d7165fc5d49e958283955d0cd2c96dab428
                                                              • Opcode Fuzzy Hash: 983de6c32fa364668d15dc121f1e8003cf0938ae379b0561d143e145046c7eb2
                                                              • Instruction Fuzzy Hash: ED2107B1504200DFDB15EF14D9C0B26BBA5FB84318F24C6ADE90A4B342C776DC46CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C4D01C, Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293068825.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c4d000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab15ff9c5052af4eec1cc135a4ca17f43ed80f08cb3cdbc884b76f0fded956eb
                                                              • Instruction ID: a694b850bf3b9c13c8c9c383905c2a8677bf885c3768e917183bdc87934343f1
                                                              • Opcode Fuzzy Hash: ab15ff9c5052af4eec1cc135a4ca17f43ed80f08cb3cdbc884b76f0fded956eb
                                                              • Instruction Fuzzy Hash: EC21F2B5504240DFCB14EF24D9C4B26BB65FB84318F24C5A9E90A4B246C73AD847CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C4D005, Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293068825.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c4d000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35078fcb9f367eec25d304a6f07d60ae3c12b990051584f8a6e335e1da245459
                                                              • Instruction ID: cd58922fe69c3625c20bf7bd9ec815ab19fd73cbb2631c1083c28886db250445
                                                              • Opcode Fuzzy Hash: 35078fcb9f367eec25d304a6f07d60ae3c12b990051584f8a6e335e1da245459
                                                              • Instruction Fuzzy Hash: 052180755093C08FCB02DF24D994715BF71FB46314F28C5EAD8498B697C33A984ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00C4D1CF, Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293068825.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c4d000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                              • Instruction ID: a534b3ec53290cc583ef6183d619e2fac5c747a1f16beeca5a58beb6448e0424
                                                              • Opcode Fuzzy Hash: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                              • Instruction Fuzzy Hash: 20119D75904280DFCB11DF14D5C4B15FBB1FB84324F28C6ADD84A4B656C37AD94ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 025EE9F8, Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d33bc17dd70517a0c9c0832431f1f3fcd903529d903cc942ff139fb290da848
                                                              • Instruction ID: a6f2d3f00d805ef79f0c3dacdba9bb537cccc7668e94821fb11829b396aec527
                                                              • Opcode Fuzzy Hash: 2d33bc17dd70517a0c9c0832431f1f3fcd903529d903cc942ff139fb290da848
                                                              • Instruction Fuzzy Hash: 4012C6F9C917468BD310DF65E49818D3BE1B761328BD06A0AD2E32AAD1D7B411EECF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025EC014, Relevance: .3, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c26b20839ac91efdf9ee8c87e8a3e93498f076fb7a76f9db52fee4b423a5b77e
                                                              • Instruction ID: 7401bf702688ce98c006f2b972b60030bc4c36ad9cdd9cdf29fbfa6c90b3d8d1
                                                              • Opcode Fuzzy Hash: c26b20839ac91efdf9ee8c87e8a3e93498f076fb7a76f9db52fee4b423a5b77e
                                                              • Instruction Fuzzy Hash: 57A17D36E1061ACFCF09DFB5C8445ADBBB2FF85304B15856AE906AB220EB71E955CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025EE9EA, Relevance: .2, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1293936559.00000000025E0000.00000040.00000001.sdmp, Offset: 025E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_25e0000_WcHO1ZGiIn.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eaa3e961e1d46cd7caf1e1ec12b10fba552fd54dd474a503b283a2a67abfa199
                                                              • Instruction ID: 71bcaa875f43029c1e3a234c25d78f219bed60c00219d133f6fe5ef4a3cec577
                                                              • Opcode Fuzzy Hash: eaa3e961e1d46cd7caf1e1ec12b10fba552fd54dd474a503b283a2a67abfa199
                                                              • Instruction Fuzzy Hash: F2C12FF9C517458BD710DF65E89418D3BE1BB65328F906A0AD2A32BAD0D7B410EECF84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%