Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D6GEVBNNH11111.exe

Overview

General Information

Sample Name:D6GEVBNNH11111.exe
Analysis ID:673906
MD5:9cef8265c679bafb06f885678ceab7bd
SHA1:ac7faaa7e8439951eaafd8e02007f33a555cd01b
SHA256:18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Drops executable to a common third party application directory
Machine Learning detection for sample
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • D6GEVBNNH11111.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\D6GEVBNNH11111.exe" MD5: 9CEF8265C679BAFB06F885678CEAB7BD)
    • geater.exe (PID: 3972 cmdline: "C:\Users\user\AppData\Local\Temp\geater.exe" MD5: 9CEF8265C679BAFB06F885678CEAB7BD)
      • InstallUtil.exe (PID: 3512 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000006.00000002.668565825.00000000046A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.geater.exe.47ad7e2.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.geater.exe.47ad7e2.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.geater.exe.47ad7e2.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30eba:$s10: logins
                • 0x30921:$s11: credential
                • 0x2cec3:$g1: get_Clipboard
                • 0x2ced1:$g2: get_Keyboard
                • 0x2cede:$g3: get_Password
                • 0x2e1e3:$g4: get_CtrlKeyDown
                • 0x2e1f3:$g5: get_ShiftKeyDown
                • 0x2e204:$g6: get_AltKeyDown
                6.2.geater.exe.47e20b8.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.geater.exe.47e20b8.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 73 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: D6GEVBNNH11111.exeVirustotal: Detection: 40%Perma Link
                    Source: D6GEVBNNH11111.exeReversingLabs: Detection: 27%
                    Machine Learning detection for sample
                    Source: D6GEVBNNH11111.exeJoe Sandbox ML: detected
                    Source: 15.0.InstallUtil.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.0.InstallUtil.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.0.InstallUtil.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 15.0.InstallUtil.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
                    Source: D6GEVBNNH11111.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.5:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.5:49765 version: TLS 1.2
                    Source: D6GEVBNNH11111.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe.15.dr
                    Source: Binary string: InstallUtil.pdb source: Acrobat.exe.15.dr
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OKJTye.com
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.449096881.000000000125E000.00000004.00000020.00020000.00000000.sdmp, geater.exe, 00000006.00000003.556575748.0000000001218000.00000004.00000020.00020000.00000000.sdmp, geater.exe, 00000006.00000002.647229362.0000000001218000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694145293.0000000005ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.419597185.000000000C182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: InstallUtil.exe, 0000000F.00000002.691023728.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maKknZWobi.net
                    Source: InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://multimetals.cfd
                    Source: geater.exe, 00000006.00000003.468594106.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.465086224.000000000C1F0000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.469714782.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.466707799.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.465370000.000000000C1F0000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.475458159.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.466241757.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474734788.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.467189569.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.545768545.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.475210422.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474948415.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474548675.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: geater.exe, 00000006.00000002.682161073.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.642265092.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g%%n
                    Source: geater.exe, 00000006.00000003.474106682.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.464715331.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g4
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
                    Source: InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                    Source: InstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422003230.000000000C189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comC
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comI
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comadi
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comc
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comcar
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comeguKx
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comint
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.commpa
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.ox
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comw
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comypo
                    Source: InstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.430433465.000000000C189000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000002.460978674.000000000C17B000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.447630466.000000000C17B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaH
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.430433465.000000000C189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421067665.000000000C1A1000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.420985402.000000000C1A2000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421003844.000000000C1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421430217.000000000C17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421412161.000000000C176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/M
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421067665.000000000C1A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn2
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421412161.000000000C176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnCh
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421010083.000000000C181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.420985402.000000000C1A2000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421003844.000000000C1A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cng
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.421430217.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421594428.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: InstallUtil.exe, 0000000F.00000002.695795045.00000000066E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0n
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/is
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rk
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.429144369.000000000C179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                    Source: InstallUtil.exe, 0000000F.00000002.694145293.0000000005ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn/w
                    Source: InstallUtil.exe, 0000000F.00000002.696225493.00000000066FC000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: InstallUtil.exe, 0000000F.00000002.696225493.00000000066FC000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: D6GEVBNNH11111.exe, D6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                    Source: D6GEVBNNH11111.exeString found in binary or memory: https://www.google.com3GetManifestResourceStream
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comT
                    Source: InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: www.google.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.5:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.5:49765 version: TLS 1.2
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.448891415.000000000122A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.geater.exe.47ad7e2.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.47e20b8.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.47ad7e2.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.4744642.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.484bafa.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.4744642.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.470fd62.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.4952740.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.491de6a.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.47e20b8.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.46db472.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.48803ea.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.48803ea.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.4952740.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.491de6a.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.484bafa.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.46db472.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 6.2.geater.exe.470fd62.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: D6GEVBNNH11111.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6.2.geater.exe.47ad7e2.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.47e20b8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.47ad7e2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.4744642.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.484bafa.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.4744642.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.470fd62.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.4952740.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.491de6a.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.47e20b8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.46db472.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.48803ea.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.48803ea.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.4952740.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.491de6a.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.484bafa.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.46db472.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 6.2.geater.exe.470fd62.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF53100_2_02DF5310
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF00400_2_02DF0040
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF11D00_2_02DF11D0
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF07990_2_02DF0799
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF47900_2_02DF4790
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF68380_2_02DF6838
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF52DB0_2_02DF52DB
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF42C80_2_02DF42C8
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF42B80_2_02DF42B8
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF52680_2_02DF5268
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF40D80_2_02DF40D8
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF40CB0_2_02DF40CB
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF00070_2_02DF0007
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF61F30_2_02DF61F3
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF61A00_2_02DF61A0
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF564F0_2_02DF564F
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DFB6000_2_02DFB600
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF67CA0_2_02DF67CA
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF47800_2_02DF4780
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF55800_2_02DF5580
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF45AB0_2_02DF45AB
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF45780_2_02DF4578
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF456B0_2_02DF456B
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF680F0_2_02DF680F
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF2E980_2_02DF2E98
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF2E880_2_02DF2E88
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF3D430_2_02DF3D43
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84ED000_2_0D84ED00
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84DB270_2_0D84DB27
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84E3A00_2_0D84E3A0
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84ECF00_2_0D84ECF0
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D844F280_2_0D844F28
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84D4080_2_0D84D408
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84C7100_2_0D84C710
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84F0500_2_0D84F050
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84F0600_2_0D84F060
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84E38F0_2_0D84E38F
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D84D3F90_2_0D84D3F9
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E07996_2_052E0799
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E47906_2_052E4790
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E11D06_2_052E11D0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E00406_2_052E0040
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E70406_2_052E7040
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E53106_2_052E5310
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E456B6_2_052E456B
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E45786_2_052E4578
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E45AB6_2_052E45AB
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E55806_2_052E5580
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E47806_2_052E4780
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052EB6006_2_052EB600
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E564F6_2_052E564F
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E61A46_2_052E61A4
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E61BE6_2_052E61BE
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E70306_2_052E7030
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E00066_2_052E0006
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E40CB6_2_052E40CB
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E40D86_2_052E40D8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E526C6_2_052E526C
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E42B86_2_052E42B8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E42C86_2_052E42C8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E52DB6_2_052E52DB
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E3D4B6_2_052E3D4B
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E2E886_2_052E2E88
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E2E986_2_052E2E98
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06514E906_2_06514E90
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06516E986_2_06516E98
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651328A6_2_0651328A
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06515F886_2_06515F88
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065104206_2_06510420
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651E5606_2_0651E560
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065155B86_2_065155B8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065142516_2_06514251
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06514E616_2_06514E61
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065196016_2_06519601
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06516E296_2_06516E29
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06510A986_2_06510A98
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065132A06_2_065132A0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651D7286_2_0651D728
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06518F986_2_06518F98
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06518FA86_2_06518FA8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065104106_2_06510410
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06518C286_2_06518C28
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651D0986_2_0651D098
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06517D406_2_06517D40
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651A5496_2_0651A549
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06510D096_2_06510D09
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06517D316_2_06517D31
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065189386_2_06518938
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065189296_2_06518929
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065191D06_2_065191D0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06516DD36_2_06516DD3
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06514DF16_2_06514DF1
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065191E06_2_065191E0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651DD906_2_0651DD90
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06516DA16_2_06516DA1
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E53D86_2_065E53D8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E00406_2_065E0040
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E3D286_2_065E3D28
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E9E586_2_065E9E58
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E1E706_2_065E1E70
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E32396_2_065E3239
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E1E806_2_065E1E80
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E37706_2_065E3770
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E37606_2_065E3760
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E93D86_2_065E93D8
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E53C96_2_065E53C9
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E30406_2_065E3040
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E00066_2_065E0006
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E30306_2_065E3030
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E5CB06_2_065E5CB0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E3D556_2_065E3D55
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19ED006_2_0C19ED00
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19DB276_2_0C19DB27
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19E3A06_2_0C19E3A0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19D4086_2_0C19D408
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19C7106_2_0C19C710
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C194F286_2_0C194F28
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C19F0606_2_0C19F060
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0C196B086_2_0C196B08
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E4E40 CreateProcessAsUserW,6_2_065E4E40
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.456920390.000000000491D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs D6GEVBNNH11111.exe
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.458059400.0000000006380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStrengthBody.dll: vs D6GEVBNNH11111.exe
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.456040536.0000000004817000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs D6GEVBNNH11111.exe
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.448891415.000000000122A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs D6GEVBNNH11111.exe
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.455208384.0000000003F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrengthBody.dll: vs D6GEVBNNH11111.exe
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                    Source: D6GEVBNNH11111.exeVirustotal: Detection: 40%
                    Source: D6GEVBNNH11111.exeReversingLabs: Detection: 27%
                    Source: D6GEVBNNH11111.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\D6GEVBNNH11111.exe "C:\Users\user\Desktop\D6GEVBNNH11111.exe"
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess created: C:\Users\user\AppData\Local\Temp\geater.exe "C:\Users\user\AppData\Local\Temp\geater.exe"
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess created: C:\Users\user\AppData\Local\Temp\geater.exe "C:\Users\user\AppData\Local\Temp\geater.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D6GEVBNNH11111.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@3/1
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: D6GEVBNNH11111.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: D6GEVBNNH11111.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: D6GEVBNNH11111.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe.15.dr
                    Source: Binary string: InstallUtil.pdb source: Acrobat.exe.15.dr
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_02DF02D8 push eax; ret 0_2_02DF02D9
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D8408A7 pushfd ; retf 000Bh0_2_0D8408AA
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D840828 pushfd ; retf 000Bh0_2_0D84082A
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D8407B0 pushfd ; retf 000Bh0_2_0D8407B2
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D8407F9 pushfd ; retf 000Bh0_2_0D8407FA
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeCode function: 0_2_0D840738 pushfd ; retf 000Bh0_2_0D84073A
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_052E02D8 push eax; ret 6_2_052E02D9
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065140DE push es; retf 6_2_06514158
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_0651411D push es; retf 6_2_06514158
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06514DDD push es; ret 6_2_06514DF0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_06516DA1 push es; retn 5167h6_2_06516DD0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E43C1 push es; iretd 6_2_065E43D0
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeCode function: 6_2_065E85DE pushad ; iretd 6_2_065E85E1

                    Persistence and Installation Behavior

                    barindex
                    Drops executable to a common third party application directory
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile written: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeFile opened: C:\Users\user\Desktop\D6GEVBNNH11111.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeFile opened: C:\Users\user\AppData\Local\Temp\geater.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Moves itself to temp directory
                    Source: c:\users\user\desktop\d6gevbnnh11111.exeFile moved: C:\Users\user\AppData\Local\Temp\geater.exeJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exe TID: 5456Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exe TID: 5900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exe TID: 4828Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exe TID: 4828Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3736Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3720Thread sleep count: 9617 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeWindow / User API: threadDelayed 9840Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9617Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWY
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.450621182.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648622832.0000000002DE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: geater.exe, 00000006.00000002.648622832.0000000002DE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: geater.exe, 00000006.00000002.648622832.0000000002DE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: geater.exe, 00000006.00000002.646783601.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, geater.exe, 00000006.00000003.556417032.00000000011EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
                    Source: InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: InstallUtil.exe, 0000000F.00000002.694145293.0000000005ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8t
                    Source: D6GEVBNNH11111.exe, 00000000.00000002.449096881.000000000125E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 436000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 839008Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeProcess created: C:\Users\user\AppData\Local\Temp\geater.exe "C:\Users\user\AppData\Local\Temp\geater.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Users\user\Desktop\D6GEVBNNH11111.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Users\user\AppData\Local\Temp\geater.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\geater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D6GEVBNNH11111.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.geater.exe.47ad7e2.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47e20b8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47ad7e2.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.4744642.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.484bafa.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.4744642.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.470fd62.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.4952740.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.491de6a.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47e20b8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.46db472.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48803ea.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48803ea.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.4952740.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.491de6a.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.484bafa.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.46db472.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.470fd62.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.668565825.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.667459782.000000000464C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.456920390.000000000491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.671650352.00000000047AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.682815690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.456040536.0000000004817000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.562345029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.560518912.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: D6GEVBNNH11111.exe PID: 3436, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: geater.exe PID: 3972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3512, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: Yara matchFile source: 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3512, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.geater.exe.47ad7e2.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47e20b8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47ad7e2.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.4744642.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.484bafa.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.4744642.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.470fd62.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.4952740.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.491de6a.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.47e20b8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.46db472.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48803ea.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48803ea.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.4952740.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.491de6a.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.484bafa.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.D6GEVBNNH11111.exe.48b4cca.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.46db472.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.geater.exe.470fd62.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.668565825.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.667459782.000000000464C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.456920390.000000000491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.671650352.00000000047AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.682815690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.456040536.0000000004817000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.562345029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000000.560518912.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: D6GEVBNNH11111.exe PID: 3436, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: geater.exe PID: 3972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3512, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Valid Accounts                    		211
                    Windows Management Instrumentation                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		1
                    Obfuscated Files or Information                    		LSASS Memory113
                    System Information Discovery                    		Remote Desktop Protocol1
                    Email Collection                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)211
                    Process Injection                    		1
                    Software Packing                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Input Capture                    		Automated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)1
                    Registry Run Keys / Startup Folder                    		21
                    Masquerading                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Valid Accounts                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Access Token Manipulation                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673906 Sample: D6GEVBNNH11111.exe Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 25 multimetals.cfd 2->25 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 Machine Learning detection for sample 2->45 8 D6GEVBNNH11111.exe 15 4 2->8         started        signatures3 process4 dnsIp5 27 www.google.com 142.250.185.228, 443, 49749, 49765 GOOGLEUS United States 8->27 23 C:\Users\user\...\D6GEVBNNH11111.exe.log, ASCII 8->23 dropped 47 Moves itself to temp directory 8->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 13 geater.exe 14 3 8->13         started        file6 signatures7 process8 dnsIp9 29 www.google.com 13->29 51 Writes to foreign memory regions 13->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->53 55 Injects a PE file into a foreign processes 13->55 17 InstallUtil.exe 2 4 13->17         started        signatures10 process11 file12 21 C:\Users\user\AppData\Roaming\...\Acrobat.exe, PE32 17->21 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->31 33 Tries to steal Mail credentials (via file / registry access) 17->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->35 37 2 other signatures 17->37 signatures13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    D6GEVBNNH11111.exe41%VirustotalBrowse
                    D6GEVBNNH11111.exe28%ReversingLabsByteCode-MSIL.Spyware.Noon
                    D6GEVBNNH11111.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    15.0.InstallUtil.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    15.0.InstallUtil.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    15.0.InstallUtil.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    15.0.InstallUtil.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                    15.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    15.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://OKJTye.com0%Avira URL Cloudsafe
                    http://www.carterandcone.comcar0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://r3.i.lencr.org/0W0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://maKknZWobi.net0%Avira URL Cloudsafe
                    http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.comypo0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/ers0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://www.google.comT0%Avira URL Cloudsafe
                    http://www.carterandcone.comC0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0n0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.carterandcone.comeguKx0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cna0%URL Reputationsafe
                    http://www.carterandcone.comadi0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/U0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.founder.com.cn/cng0%URL Reputationsafe
                    http://www.carterandcone.comI0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://www.carterandcone.commpa0%Avira URL Cloudsafe
                    http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                    http://www.carterandcone.como.ox0%Avira URL Cloudsafe
                    http://multimetals.cfd0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/on0%URL Reputationsafe
                    http://www.founder.com.cn/cnCh0%Avira URL Cloudsafe
                    http://www.fontbureau.comaH0%Avira URL Cloudsafe
                    http://en.w0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Sue0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/M0%Avira URL Cloudsafe
                    http://ns.adobe.c/g%%n0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.carterandcone.comint0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/is0%Avira URL Cloudsafe
                    http://www.monotype.0%URL Reputationsafe
                    https://www.google.com3GetManifestResourceStream0%Avira URL Cloudsafe
                    http://www.carterandcone.comw0%URL Reputationsafe
                    http://www.founder.com.cn/cn20%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://ns.adobe.c/g40%Avira URL Cloudsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                    http://www.founder.com.cn/cns-m0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/rk0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn/w0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    multimetals.cfd
                    		192.185.37.183
                    		truefalse
                      		unknown
                      www.google.com
                      		142.250.185.228
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.google.com/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://OKJTye.comInstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comcarD6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.datev.de/zertifikat-policy-int0InstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.i.lencr.org/0WInstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://maKknZWobi.netInstallUtil.exe, 0000000F.00000002.691023728.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pkioverheid.nl/policies/root-policy0InstallUtil.exe, 0000000F.00000002.694145293.0000000005ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ns.adobe.c/ggeater.exe, 00000006.00000003.468594106.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.465086224.000000000C1F0000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.469714782.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.466707799.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.465370000.000000000C1F0000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.475458159.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.466241757.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474734788.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.467189569.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.545768545.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.475210422.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474948415.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.474548675.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.goodfont.co.krD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comD6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comypoD6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/ersD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/~D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.comD6GEVBNNH11111.exe, D6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.comTD6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comCD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/1D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0nD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0InstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://x1.c.lencr.org/0InstallUtil.exe, 0000000F.00000002.696225493.00000000066FC000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://x1.i.lencr.org/0InstallUtil.exe, 0000000F.00000002.696225493.00000000066FC000.00000004.00000001.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiInstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://r3.o.lencr.org0InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Y0D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comeguKxD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnaD6GEVBNNH11111.exe, 00000000.00000003.421010083.000000000C181000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comadiD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/UD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cngD6GEVBNNH11111.exe, 00000000.00000003.420985402.000000000C1A2000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421003844.000000000C1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameD6GEVBNNH11111.exe, 00000000.00000002.450466503.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000002.648331977.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.carterandcone.comID6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.como.D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org%InstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            http://www.carterandcone.commpaD6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://cps.root-x1.letsencrypt.org0InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.696582451.0000000006725000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.como.oxD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://multimetals.cfdInstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422003230.000000000C189000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/UD6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comcD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://cps.letsencrypt.org0InstallUtil.exe, 0000000F.00000002.691205216.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.694046075.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.690780729.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.695758505.00000000066C9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.accv.es/legislacion_c.htm0UInstallUtil.exe, 0000000F.00000002.694815599.0000000005FBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comTCD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.ipify.org%appdataInstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0InstallUtil.exe, 0000000F.00000002.695795045.00000000066E2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwInstallUtil.exe, 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/onD6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnChD6GEVBNNH11111.exe, 00000000.00000003.421412161.000000000C176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comaHD6GEVBNNH11111.exe, 00000000.00000003.430433465.000000000C189000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000002.460978674.000000000C17B000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.447630466.000000000C17B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://en.wD6GEVBNNH11111.exe, 00000000.00000003.419597185.000000000C182000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/SueD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comlD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn/MD6GEVBNNH11111.exe, 00000000.00000003.421412161.000000000C176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ns.adobe.c/g%%ngeater.exe, 00000006.00000002.682161073.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.642265092.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn/D6GEVBNNH11111.exe, 00000000.00000003.421430217.000000000C17E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlND6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comintD6GEVBNNH11111.exe, 00000000.00000003.422408075.000000000C176000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421067665.000000000C1A1000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.420985402.000000000C1A2000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421003844.000000000C1A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlD6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/sD6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/isD6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.monotype.D6GEVBNNH11111.exe, 00000000.00000003.429144369.000000000C179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.google.com3GetManifestResourceStreamD6GEVBNNH11111.exefalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comwD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn2D6GEVBNNH11111.exe, 00000000.00000003.421067665.000000000C1A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/D6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://ns.adobe.c/g4geater.exe, 00000006.00000003.474106682.000000000C1F1000.00000004.00000800.00020000.00000000.sdmp, geater.exe, 00000006.00000003.464715331.000000000C1F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.comoD6GEVBNNH11111.exe, 00000000.00000003.430433465.000000000C189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/lD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8D6GEVBNNH11111.exe, 00000000.00000002.461913156.000000000D382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/gD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.422880183.000000000C179000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/eD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cns-mD6GEVBNNH11111.exe, 00000000.00000003.421430217.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.421594428.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/rkD6GEVBNNH11111.exe, 00000000.00000003.423641322.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423753219.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423114721.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423447686.000000000C180000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423596826.000000000C187000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423327035.000000000C17E000.00000004.00000800.00020000.00000000.sdmp, D6GEVBNNH11111.exe, 00000000.00000003.423662070.000000000C184000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cn/wD6GEVBNNH11111.exe, 00000000.00000003.422384405.000000000C173000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          142.250.185.228
                                                          		www.google.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox Version:35.0.0 Citrine
                                                          Analysis ID:673906
                                                          Start date and time: 26/07/202221:51:072022-07-26 21:51:07 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 23s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:D6GEVBNNH11111.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@5/3@3/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 0.4% (good quality ratio 0.3%)
                                                          • Quality average: 39.7%
                                                          • Quality standard deviation: 25.6%
                                                          HCA Information:
                                                          • Successful, ratio: 87%
                                                          • Number of executed functions: 59
                                                          • Number of non-executed functions: 22
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Adjust boot time
                                                          • Enable AMSI

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          21:52:28API Interceptor1x Sleep call for process: D6GEVBNNH11111.exe modified
                                                          21:52:42API Interceptor202x Sleep call for process: geater.exe modified
                                                          21:54:03API Interceptor68x Sleep call for process: InstallUtil.exe modified
                                                          21:54:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                          21:54:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          multimetals.cfdB35@6B.exeGet hashmaliciousBrowse
                                                          • 192.185.37.183
                                                          B35@6B.exeGet hashmaliciousBrowse
                                                          • 192.185.37.183

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://throttlecrm.com/resources/newsletters/link.php?realm=aftermarket&dealergroup=B1370T&email=kellyh@chesapeakehearingaids.com&archiveid=000275_1504625161&url=http://48967005vVmGKaWi.marimaiscredito.com.br/aa/ZGVubmlzQGVjbGlweml0LmNvbQ0=Get hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          SecuriteInfo.com.Trojan.Siggen18.27372.28537.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          h2C08rJjFc.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          ihH6LrEanG.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          RK4mDQw4Eg.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          Required Order and Shipping Details.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          8fvsuWILTo.dllGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          BL-SHIPPING ADVICE.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          HnhSY5ZpVo.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          ORDER LIST.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          CbmhYKLsrt.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          SecuriteInfo.com.Trojan.Siggen18.27836.32637.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          https://submarined-glim.godaddysites.com/Get hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          SecuriteInfo.com.W32.AIDetectNet.01.23463.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          install.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          ChromeUpdater.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          http://trk.klclick3.com/ls/clickGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          Overdue for July & August Statement.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          Narud#U017ebenica_(P.O_60463402)_ATINEL.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228
                                                          INVOICE AND NOA.exeGet hashmaliciousBrowse
                                                          • 142.250.185.228

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeFFJddC8bXz.exeGet hashmaliciousBrowse
                                                            B35@6B.exeGet hashmaliciousBrowse
                                                              DDD58.exeGet hashmaliciousBrowse
                                                                Order-0627.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.W32.AIDetectNet.01.8958.exeGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.W32.AIDetectNet.01.24747.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.W32.AIDetectNet.01.18679.exeGet hashmaliciousBrowse
                                                                        52@J@1.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.W32.AIDetectNet.01.4650.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.W32.AIDetectNet.01.15627.exeGet hashmaliciousBrowse
                                                                              EE3F73J.exeGet hashmaliciousBrowse
                                                                                Re063331.exeGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.W32.AIDetectNet.01.30647.exeGet hashmaliciousBrowse
                                                                                    E8A4EJHH.exeGet hashmaliciousBrowse
                                                                                      30% SS23 Deposit.exeGet hashmaliciousBrowse
                                                                                        NysNiY0pJN.exeGet hashmaliciousBrowse
                                                                                          JAB@C7B2.exeGet hashmaliciousBrowse
                                                                                            MT_561227.exeGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.W32.AIDetectNet.01.23261.exeGet hashmaliciousBrowse
                                                                                                DFDocumentsB2F.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D6GEVBNNH11111.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\D6GEVBNNH11111.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1301
                                                                                                  Entropy (8bit):5.345637324625647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MIHKov2HKXwYHKhQnoPtHoxHhAHKzvr3
                                                                                                  MD5:90DA70F21E67A8A3197C9F454FA9CB57
                                                                                                  SHA1:FC0B4A2B0F54E399477E168EEAFE962E6589DF91
                                                                                                  SHA-256:FEA95A3982BE3C224FDDFCE307C75459525FDFE66B5A7E6D83625FF51542F54E
                                                                                                  SHA-512:8563365117151AC0F90DFF6352D766F9A06E7AFCE2A2D949EC2A59DFA7078615BBCE59E6B081F351D45F8BB50793129509810EAF97F8D42ECD4F3B21AB3938C0
                                                                                                  Malicious:true
                                                                                                  Reputation:low
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\geater.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\geater.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1301
                                                                                                  Entropy (8bit):5.345637324625647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MIHKov2HKXwYHKhQnoPtHoxHhAHKzvr3
                                                                                                  MD5:90DA70F21E67A8A3197C9F454FA9CB57
                                                                                                  SHA1:FC0B4A2B0F54E399477E168EEAFE962E6589DF91
                                                                                                  SHA-256:FEA95A3982BE3C224FDDFCE307C75459525FDFE66B5A7E6D83625FF51542F54E
                                                                                                  SHA-512:8563365117151AC0F90DFF6352D766F9A06E7AFCE2A2D949EC2A59DFA7078615BBCE59E6B081F351D45F8BB50793129509810EAF97F8D42ECD4F3B21AB3938C0
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

                                                                                                  C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41064
                                                                                                  Entropy (8bit):6.164873449128079
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: FFJddC8bXz.exe, Detection: malicious, Browse
                                                                                                  • Filename: B35@6B.exe, Detection: malicious, Browse
                                                                                                  • Filename: DDD58.exe, Detection: malicious, Browse
                                                                                                  • Filename: Order-0627.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.8958.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.24747.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.18679.exe, Detection: malicious, Browse
                                                                                                  • Filename: 52@J@1.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.4650.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.15627.exe, Detection: malicious, Browse
                                                                                                  • Filename: EE3F73J.exe, Detection: malicious, Browse
                                                                                                  • Filename: Re063331.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.30647.exe, Detection: malicious, Browse
                                                                                                  • Filename: E8A4EJHH.exe, Detection: malicious, Browse
                                                                                                  • Filename: 30% SS23 Deposit.exe, Detection: malicious, Browse
                                                                                                  • Filename: NysNiY0pJN.exe, Detection: malicious, Browse
                                                                                                  • Filename: JAB@C7B2.exe, Detection: malicious, Browse
                                                                                                  • Filename: MT_561227.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.23261.exe, Detection: malicious, Browse
                                                                                                  • Filename: DFDocumentsB2F.exe, Detection: malicious, Browse
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):6.678403713726006
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:D6GEVBNNH11111.exe
                                                                                                  File size:640512
                                                                                                  MD5:9cef8265c679bafb06f885678ceab7bd
                                                                                                  SHA1:ac7faaa7e8439951eaafd8e02007f33a555cd01b
                                                                                                  SHA256:18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90
                                                                                                  SHA512:ab176b5348a6a69752eb9e47e2ed11f5130a02104f38932f6f88058bed797e0ab8ffabe665c353ba174788cf60d3114961554ce41bef850c4161cc9316451533
                                                                                                  SSDEEP:12288:7yJTxDWRQLg9r91BXxQ/q22ZzGSf1q6B0sQuc9G:7ynWRQerDxxs32NG61q6PQuc
                                                                                                  TLSH:A4D4BE0367988B94C9A4B7BF22D1AB0013F9F0C76B02DB0B6F4B45E565A72C17E1DB49
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q1.4..............P.............N.... ........@.. ....................... ............`................................

                                                                                                  File Icon

                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x49d84e
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x34EF3151 [Sat Feb 21 19:56:01 1998 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9d7f80x53.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x646.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000x9b8540x9ba00False0.6776276982931727data6.690081890735924IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x9e0000x6460x800False0.35693359375data3.7271367690740242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xa00000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_VERSION0x9e0a00x3bcdata
                                                                                                  RT_MANIFEST0x9e45c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 26, 2022 21:52:10.754509926 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:10.754553080 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:10.754661083 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:10.826807022 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:10.826839924 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:10.876451969 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:10.876605034 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:10.879754066 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:10.879767895 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:10.879992962 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:10.929282904 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.224459887 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.267405987 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300113916 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300235033 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300316095 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300329924 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.300373077 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300437927 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.300447941 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300479889 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.300575018 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.300846100 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.303319931 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.303416967 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.303435087 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.303461075 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.303527117 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.303903103 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.304688931 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.304757118 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.304810047 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.304826975 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.304898977 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.317186117 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.317454100 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.317547083 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.317639112 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.317677021 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.317768097 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.318171978 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321326971 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321444988 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321506023 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.321526051 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321599007 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.321609020 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321645021 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.321717978 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.322206020 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.323597908 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.323710918 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.323748112 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.323765993 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.323843002 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.324445009 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.325731993 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.325835943 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.325846910 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.325872898 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.325956106 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.326878071 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.327651024 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.327747107 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.327769041 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.327799082 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.327897072 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.328733921 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.329996109 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.330111027 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.330115080 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.330140114 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.330195904 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.331032038 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.331286907 CEST44349749142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:11.331392050 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:11.345297098 CEST49749443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.001318932 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.001386881 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.001743078 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.052330971 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.052376986 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.102763891 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.102883101 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.107256889 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.107271910 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.107842922 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.227751970 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.569200039 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.611373901 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.645994902 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646119118 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646236897 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.646244049 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646267891 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646332979 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.646361113 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646836996 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646922112 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.646939039 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.646960020 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.647016048 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.648097038 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.649430990 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.649492979 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.649544001 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.649564981 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.649676085 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.651024103 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.663244009 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.663333893 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.663333893 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.663393974 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.663481951 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.663599014 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.664931059 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.665004969 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.665009022 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.665043116 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.665174007 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.665193081 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.666312933 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.666438103 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.666457891 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.667649984 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.667736053 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.667758942 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.668889999 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.668987036 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.669006109 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.670226097 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.670305967 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.670321941 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.671314001 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.671411037 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.671427965 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.672435045 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.672518015 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.672533035 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.673582077 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.673710108 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.673728943 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.675777912 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.675860882 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.676790953 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.677342892 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.677448988 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.677464008 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.677491903 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.677509069 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.677514076 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.678072929 CEST44349765142.250.185.228192.168.2.5
                                                                                                  Jul 26, 2022 21:52:29.678241014 CEST49765443192.168.2.5142.250.185.228
                                                                                                  Jul 26, 2022 21:52:29.692991018 CEST49765443192.168.2.5142.250.185.228

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 26, 2022 21:52:10.696971893 CEST6135653192.168.2.58.8.8.8
                                                                                                  Jul 26, 2022 21:52:10.716706038 CEST53613568.8.8.8192.168.2.5
                                                                                                  Jul 26, 2022 21:52:28.957506895 CEST5966153192.168.2.58.8.8.8
                                                                                                  Jul 26, 2022 21:52:28.975078106 CEST53596618.8.8.8192.168.2.5
                                                                                                  Jul 26, 2022 21:54:17.178013086 CEST6440553192.168.2.58.8.8.8
                                                                                                  Jul 26, 2022 21:54:17.373930931 CEST53644058.8.8.8192.168.2.5

                                                                                                  ICMP Packets

                                                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                                                  Jul 26, 2022 21:53:38.107453108 CEST192.168.2.58.8.8.8d043(Port unreachable)Destination Unreachable

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Jul 26, 2022 21:52:10.696971893 CEST192.168.2.58.8.8.80x9cfcStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                                  Jul 26, 2022 21:52:28.957506895 CEST192.168.2.58.8.8.80x627dStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                                  Jul 26, 2022 21:54:17.178013086 CEST192.168.2.58.8.8.80xb788Standard query (0)multimetals.cfdA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Jul 26, 2022 21:52:10.716706038 CEST8.8.8.8192.168.2.50x9cfcNo error (0)www.google.com142.250.185.228A (IP address)IN (0x0001)
                                                                                                  Jul 26, 2022 21:52:28.975078106 CEST8.8.8.8192.168.2.50x627dNo error (0)www.google.com142.250.185.228A (IP address)IN (0x0001)
                                                                                                  Jul 26, 2022 21:54:17.373930931 CEST8.8.8.8192.168.2.50xb788No error (0)multimetals.cfd192.185.37.183A (IP address)IN (0x0001)

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.google.com

                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.549749142.250.185.228443C:\Users\user\Desktop\D6GEVBNNH11111.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2022-07-26 19:52:11 UTC0OUTGET / HTTP/1.1
                                                                                                  Host: www.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2022-07-26 19:52:11 UTC0INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 26 Jul 2022 19:52:11 GMT
                                                                                                  Expires: -1
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  Content-Type: text/html; charset=ISO-8859-1
                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                  Server: gws
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Set-Cookie: AEC=AakniGMsW-4wpxoyuTYivGkd8FPp-UdNGgpcHa_Os971pn8smUygV4kG7Q; expires=Sun, 22-Jan-2023 19:52:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: __Secure-ENID=6.SE=VAmrEV0yWs2eAo9BYyz8TM8ICzr_Rzh6_yA01m5sY2Qgxt-cqlM4kuBpZKC7S6vP4XK36RheRCNRThaWRryBtUQJ1iydpVP3VqrRziocXwLIn9VibJHnwC7PVRRMgzG8M2MhARvaFQ9uJnq5nQsYDlOvsXa33nFqldguGFr__r8; expires=Sat, 26-Aug-2023 12:10:29 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: CONSENT=PENDING+624; expires=Thu, 25-Jul-2024 19:52:11 GMT; path=/; domain=.google.com; Secure
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                  Accept-Ranges: none
                                                                                                  Vary: Accept-Encoding
                                                                                                  Connection: close
                                                                                                  Transfer-Encoding: chunked
                                                                                                  2022-07-26 19:52:11 UTC1INData Raw: 35 38 33 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74
                                                                                                  Data Ascii: 5839<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="de"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content
                                                                                                  2022-07-26 19:52:11 UTC1INData Raw: 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 32 2f 63 65 6c 65 62 72 61 74 69 6e 67 2d 73 74 65 65 6c 70 61 6e 2d 36 37 35 33 36 35 31 38 33 37 31 30 38 34 36 37 2e 34 2d 6c 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 57 69 72 20 66 65 69 65 72 6e 20 64 69 65 20 53 74 65 65 6c 20 50 61 6e 22 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 57 69 72 20 66 65 69 65 72 6e 20 64 69 65 20 53 74 65 65 6c 20 50 61 6e 21 20 23 47 6f 6f 67 6c 65 44 6f 6f 64 6c 65 22 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 57
                                                                                                  Data Ascii: ="/logos/doodles/2022/celebrating-steelpan-6753651837108467.4-l.png" itemprop="image"><meta content="Wir feiern die Steel Pan" property="twitter:title"><meta content="Wir feiern die Steel Pan! #GoogleDoodle" property="twitter:description"><meta content="W
                                                                                                  2022-07-26 19:52:11 UTC2INData Raw: 31 34 2c 31 30 38 2c 33 34 30 36 2c 36 30 36 2c 32 30 32 33 2c 32 32 39 37 2c 31 34 36 37 30 2c 33 32 32 37 2c 32 38 34 35 2c 38 2c 34 38 31 30 2c 31 2c 32 38 39 35 38 2c 31 38 35 30 2c 31 35 37 35 37 2c 31 2c 32 2c 35 37 36 2c 36 31 38 32 2c 32 37 38 2c 31 34 38 2c 31 33 39 37 35 2c 34 2c 31 35 32 38 2c 32 33 30 34 2c 37 30 33 39 2c 32 30 33 30 39 2c 34 37 36 34 2c 32 36 35 38 2c 37 33 35 35 2c 31 38 30 39 37 2c 31 36 37 38 36 2c 35 37 38 38 2c 32 35 36 39 2c 34 30 39 32 2c 32 2c 34 30 35 32 2c 33 2c 33 35 34 31 2c 31 2c 34 32 31 35 34 2c 32 2c 31 34 30 32 32 2c 31 34 31 31 36 2c 31 31 36 32 33 2c 35 36 37 39 2c 31 30 32 30 2c 32 33 38 31 2c 31 34 30 32 33 2c 36 39 33 38 2c 32 2c 31 2c 39 2c 37 37 36 39 2c 34 35 36 37 2c 36 32 35 33 2c 32 33 34 32 34 2c
                                                                                                  Data Ascii: 14,108,3406,606,2023,2297,14670,3227,2845,8,4810,1,28958,1850,15757,1,2,576,6182,278,148,13975,4,1528,2304,7039,20309,4764,2658,7355,18097,16786,5788,2569,4092,2,4052,3,3541,1,42154,2,14022,14116,11623,5679,1020,2381,14023,6938,2,1,9,7769,4567,6253,23424,
                                                                                                  2022-07-26 19:52:11 UTC3INData Raw: 3b 21 63 26 26 66 2e 5f 63 73 68 69 64 26 26 2d 31 3d 3d 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 26 26 22 73 6c 68 22 21 3d 3d 61 26 26 28 64 3d 22 26 63 73 68 69 64 3d 22 2b 66 2e 5f 63 73 68 69 64 29 3b 63 3d 63 7c 7c 22 2f 22 2b 28 67 7c 7c 22 67 65 6e 5f 32 30 34 22 29 2b 22 3f 61 74 79 70 3d 69 26 63 74 3d 22 2b 61 2b 22 26 63 61 64 3d 22 2b 62 2b 65 2b 22 26 7a 78 3d 22 2b 44 61 74 65 2e 6e 6f 77 28 29 2b 64 3b 2f 5e 68 74 74 70 3a 2f 69 2e 74 65 73 74 28 63 29 26 26 22 68 74 74 70 73 3a 22 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 63 2c 67 6c 6d 6d 3a 31 7d 29 2c
                                                                                                  Data Ascii: ;!c&&f._cshid&&-1===b.search("&cshid=")&&"slh"!==a&&(d="&cshid="+f._cshid);c=c||"/"+(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+"&zx="+Date.now()+d;/^http:/i.test(c)&&"https:"===window.location.protocol&&(google.ml&&google.ml(Error("a"),!1,{src:c,glmm:1}),
                                                                                                  2022-07-26 19:52:11 UTC5INData Raw: 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 22 41 22 3d 3d 3d 61 2e 74 61 67 4e 61 6d 65 29 7b 61 3d 22 31 22 3d 3d 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31 7d 61 26 26 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 7d 2c 21 30 29 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 74 79 6c 65 3e 23 67 62 7b 66 6f 6e 74 3a 31 33 70 78 2f 32 37 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70
                                                                                                  Data Ascii: document.documentElement;a=a.parentElement)if("A"===a.tagName){a="1"===a.getAttribute("data-nohref");break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-sp
                                                                                                  2022-07-26 19:52:11 UTC6INData Raw: 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a 32 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23 67 62 7a 20 2e 67 62 6d 7b 6c 65 66 74 3a 30 7d 23 67 62 67 20 2e 67 62 6d 7b 72 69 67 68 74 3a 30 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b 2d 6d 6f 7a 2d 62
                                                                                                  Data Ascii: z-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-b
                                                                                                  2022-07-26 19:52:11 UTC7INData Raw: 7b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 7d 2e 67 62 74 73 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 7a 74 20 2e 67 62 74 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 6f 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66
                                                                                                  Data Ascii: {cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff
                                                                                                  2022-07-26 19:52:11 UTC8INData Raw: 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62 6d 70 69 64 7b 62 61 63 6b
                                                                                                  Data Ascii: g4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{back
                                                                                                  2022-07-26 19:52:11 UTC10INData Raw: 72 2c 2e 67 62 6d 6c 31 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 70 6d 20 2e 67 62 6d 6c 31 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 6c 62 77 7b 63 6f 6c
                                                                                                  Data Ascii: r,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{col
                                                                                                  2022-07-26 19:52:11 UTC11INData Raw: 23 67 62 64 34 20 2e 67 62 70 63 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 70 63 20 2e 67 62 70 73 2c 2e 67 62 70 63 20 2e 67 62 70 73 32 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 23 67 62 6d 70 6c 70 2e 67 62 70 73 7b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 70 63 20 2e 67 62 70 64 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 7d 2e 67 62 70 64 20 2e 67 62 6d 74 2c 2e 67 62 70 64 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 36 36 36 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 20 2e 67 62 6d 74 7b 6f 70 61 63 69 74 79 3a 2e 34 3b 66 69 6c 74 65 72 3a 61
                                                                                                  Data Ascii: #gbd4 .gbpc{*display:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:a
                                                                                                  2022-07-26 19:52:11 UTC12INData Raw: 65 69 67 68 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 0a 2e 67 62 71 66 62 2c 2e 67 62 71 66 62 61 2c 2e 67 62 71 66 62 62 7b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 20 21 69 6d 70 6f 72 74 61 6e 74 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 39 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 35 34 70 78 3b 2a 6d 69 6e 2d 77 69 64 74 68 3a 37
                                                                                                  Data Ascii: eight:auto;margin:10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;cursor:default !important;display:inline-block;font-weight:bold;height:29px;line-height:29px;min-width:54px;*min-width:7
                                                                                                  2022-07-26 19:52:11 UTC14INData Raw: 65 3a 31 31 70 78 7d 2e 67 62 71 66 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 64 39 30 66 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 34 64 39 30 66 65 29 2c 74 6f 28 23 34 37 38 37 65 64 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72
                                                                                                  Data Ascii: e:11px}.gbqfb{background-color:#4d90fe;background-image:-webkit-gradient(linear,left top,left bottom,from(#4d90fe),to(#4787ed));background-image:-webkit-linear-gradient(top,#4d90fe,#4787ed);background-image:-moz-linear-gradient(top,#4d90fe,#4787ed);backgr
                                                                                                  2022-07-26 19:52:11 UTC15INData Raw: 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 35 66 35 66 35 29 2c 74 6f 28 23 66 31 66 31 66 31 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31
                                                                                                  Data Ascii: und-image:-webkit-gradient(linear,left top,left bottom,from(#f5f5f5),to(#f1f1f1));background-image:-webkit-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-moz-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-ms-linear-gradient(top,#f5f5f5,#f1
                                                                                                  2022-07-26 19:52:11 UTC16INData Raw: 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a
                                                                                                  Data Ascii: -o-linear-gradient(top,#fff,#fbfbfb);background-image:linear-gradient(top,#fff,#fbfbfb);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:
                                                                                                  2022-07-26 19:52:11 UTC17INData Raw: 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66
                                                                                                  Data Ascii: ent(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;lef
                                                                                                  2022-07-26 19:52:11 UTC19INData Raw: 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62
                                                                                                  Data Ascii: nt(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;b
                                                                                                  2022-07-26 19:52:11 UTC20INData Raw: 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 66 44 46 72 55 61 53 6d 42 76 53 61 58 55 6c 69 51 49 66 61 58 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 32 35 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 67 2c 68 3d 6e 75 6c 6c 21 3d 28 67 3d 66 2e 6d 65 69 29 3f 67 3a 31 2c 6d 2c 6e 3d 6e 75 6c 6c 21 3d 28 6d 3d 66 2e 73 64 6f 29 3f 6d 3a 21 30 2c 70 3d 30 2c 71 2c 72 3d 67 6f
                                                                                                  Data Ascii: ertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="fDFrUaSmBvSaXUliQIfaXg">(function(){window.google.erd={jsr:1,bv:1625,de:true};var f=this||self;var g,h=null!=(g=f.mei)?g:1,m,n=null!=(m=f.sdo)?m:!0,p=0,q,r=go
                                                                                                  2022-07-26 19:52:11 UTC21INData Raw: 66 69 6c 65 4e 61 6d 65 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 71 3d 6e 75 6c 6c 3b 6e 26 26 70 3e 3d 68 26 26 28 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 29 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58
                                                                                                  Data Ascii: fileName=b),google.ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));q=null;n&&p>=h&&(window.onerror=null)};})();(function(){try{/* Copyright The Closure Library Authors. SPDX
                                                                                                  2022-07-26 19:52:11 UTC22INData Raw: 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 76 3d 7b 7d 2c 6c 61 3d 7b 7d 2c 77 3d 5b 5d 2c 6d 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6e 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 77 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 70 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 5b 61 5d 3d 62 7d 2c 71 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 20 69 6e 20 76 7d 2c 78 3d 7b 7d 2c 41 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 5b 61 5d 7c 7c 28 78 5b 61 5d 3d 5b 5d 29 3b 78 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 42 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 6d 22 2c 61 29 7d 2c 72 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 0d 0a
                                                                                                  Data Ascii: indow.gbar.logger;var v={},la={},w=[],ma=h.b("0.1",.1),na=h.a("1",!0),oa=function(a,b){w.push([a,b])},pa=function(a,b){v[a]=b},qa=function(a){return a in v},x={},A=function(a,b){x[a]||(x[a]=[]);x[a].push(b)},B=function(a){A("m",a)},ra=function(a,b){v
                                                                                                  2022-07-26 19:52:11 UTC23INData Raw: 65 33 0d 0a 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 63 2e 73 72 63 3d 61 3b 63 2e 61 73 79 6e 63 3d 6e 61 3b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6d 61 26 26 28 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 3b 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 0d 0a
                                                                                                  Data Ascii: e3ar c=document.createElement("script");c.src=a;c.async=na;Math.random()<ma&&(c.onerror=function(){c.onerror=null;t(Error("Bundle load failed: name="+(b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElements
                                                                                                  2022-07-26 19:52:11 UTC23INData Raw: 36 62 33 64 0d 0a 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 28 63 3d 77 5b 62 5d 29 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 63 5b 31 5d 2e 6c 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29
                                                                                                  Data Ascii: 6b3dByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},D=function(a){for(var b=0,c;(c=w[b])&&c[0]!=a;++b);!c||c[1].l||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)
                                                                                                  2022-07-26 19:52:11 UTC24INData Raw: 2e 64 70 6f 3d 46 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 77 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68 3a 22 22 2c 73 69 3a 7a 61 2c 68 6c 3a 22 64 65 22 7d 3b 76 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47
                                                                                                  Data Ascii: .dpo=F(G.dpo,"");xa||w.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh:"",si:za,hl:"de"};v.gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),G
                                                                                                  2022-07-26 19:52:11 UTC26INData Raw: 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 61 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 72 65 74 75 72 6e 21 28 21 61 7c 7c 21 61 2e 6d 61 74 63 68 28 62 29 29 7d 2c 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4b 28 61 2c 62 29 3a 4a 28 61 2c 62 29 7d 2c 4e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d
                                                                                                  Data Ascii: &c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\b"+b+"\\b");a=a.className;return!(!a||!a.match(b))},Ma=function(a,b){H(a,b)?K(a,b):J(a,b)},Na=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}}
                                                                                                  2022-07-26 19:52:11 UTC27INData Raw: 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 3b 4a 28 63 2c 22 67 62 70 64 6a 73 22 29 3b 50 28 29 3b 5a 61 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 29 26 26 4a 28 63 2c 22 67 62 72 74 6c 22 29 3b 69 66 28 62 26 26 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 64 3d 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 73 22 29 3b 69 66 28 64 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 66 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 64 29 3b 69 66 28 66 29 7b 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29
                                                                                                  Data Ascii: c=document.getElementById("gb");J(c,"gbpdjs");P();Za(document.getElementById("gb"))&&J(c,"gbrtl");if(b&&b.getAttribute){var d=b.getAttribute("aria-owns");if(d.length){var f=document.getElementById(d);if(f){var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto")
                                                                                                  2022-07-26 19:52:11 UTC28INData Raw: 74 68 29 7b 76 61 72 20 56 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2b 31 5d 3b 48 28 56 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d 68 22 29 7c 7c 66 62 28 56 2c 45 29 7c 7c 28 6c 3d 64 2b 31 29 7d 65 6c 73 65 20 69 66 28 30 3c 3d 64 2d 31 29 7b 76 61 72 20 57 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2d 31 5d 3b 48 28 57 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d 68 22 29 7c 7c 66 62 28 57 2c 45 29 7c 7c 28 6c 3d 64 29 7d 62 72 65 61 6b 7d 30 3c 64 26 26 64 2b 31 3c 6e 26 26 64 2b 2b 7d 69 66 28 30 3c 3d 6c 29 7b 76 61 72 20 79 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61
                                                                                                  Data Ascii: th){var V=k.childNodes[d+1];H(V.firstChild,"gbmh")||fb(V,E)||(l=d+1)}else if(0<=d-1){var W=k.childNodes[d-1];H(W.firstChild,"gbmh")||fb(W,E)||(l=d)}break}0<d&&d+1<n&&d++}if(0<=l){var y=document.createElement("li"),z=document.createElement("div");y.classNa
                                                                                                  2022-07-26 19:52:11 UTC29INData Raw: 74 74 65 20 76 65 72 73 75 63 68 65 20 65 73 20 73 70 e4 74 65 72 20 6e 6f 63 68 20 65 69 6e 6d 61 6c 2e 22 2c 22 25 31 24 73 22 29 2c 51 28 62 2c 21 30 29 29 7d 63 61 74 63 68 28 63 29 7b 72 28 63 2c 22 73 62 22 2c 22 73 64 68 65 22 29 7d 7d 2c 72 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 26 26 62 29 7b 76 61 72 20 64 3d 24 61 28 61 29 3b 69 66 28 64 29 7b 69 66 28 63 29 7b 64 2e 74 65 78 74 43 6f 6e 74 65 6e 74 3d 22 22 3b 62 3d 62 2e 73 70 6c 69 74 28 63 29 3b 63 3d 30 3b 66 6f 72 28 76 61 72 20 66 3b 66 3d 62 5b 63 5d 3b 63 2b 2b 29 7b 76 61 72 20 6b 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 0a 6b 2e 69 6e 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28
                                                                                                  Data Ascii: tte versuche es spter noch einmal.","%1$s"),Q(b,!0))}catch(c){r(c,"sb","sdhe")}},rb=function(a,b,c){if(a&&b){var d=$a(a);if(d){if(c){d.textContent="";b=b.split(c);c=0;for(var f;f=b[c];c++){var k=document.createElement("div");k.innerHTML=f;d.appendChild(
                                                                                                  2022-07-26 19:52:11 UTC31INData Raw: 2e 63 28 22 35 30 30 30 22 2c 30 29 2c 74 65 74 3a 68 2e 62 28 22 30 2e 35 22 2c 30 29 7d 3b 76 2e 77 6d 3d 7a 62 3b 69 66 28 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 41 62 3d 68 2e 61 28 22 22 29 3b 77 2e 70 75 73 68 28 5b 22 67 63 22 2c 7b 61 75 74 6f 3a 41 62 2c 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 6c 69 62 73 3a 22 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6c 69 65 6e 74 3a 67 61 70 69 2e 69 66 72 61 6d 65 73 22 7d 5d 29 3b 76 61 72 20 42 62 3d 7b 76 65 72 73 69 6f 6e 3a 22 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38
                                                                                                  Data Ascii: .c("5000",0),tet:h.b("0.5",0)};v.wm=zb;if(h.a("1")){var Ab=h.a("");w.push(["gc",{auto:Ab,url:"//ssl.gstatic.com/gb/js/abc/gci_91f30755d6a6b787dcc2a4062e6e9824.js",libs:"googleapis.client:gapi.iframes"}]);var Bb={version:"gci_91f30755d6a6b787dcc2a4062e6e98
                                                                                                  2022-07-26 19:52:11 UTC32INData Raw: 69 66 28 21 52 29 7b 52 3d 7b 7d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 4b 62 2e 6c 65 6e 67 74 68 3b 6b 2b 2b 29 7b 76 61 72 20 6d 3d 4b 62 5b 6b 5d 3b 52 5b 6d 5d 3d 21 30 7d 7d 69 66 28 66 3d 21 21 52 5b 66 5d 29 63 3d 4d 62 2c 64 3d 4f 62 3b 69 66 28 64 29 7b 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 3b 69 66 28 67 2e 72 70 29 7b 76 61 72 20 6e 3d 67 2e 72 70 28 29 3b 6e 3d 22 2d 31 22 21 3d 6e 3f 6e 3a 22 22 7d 65 6c 73 65 20 6e 3d 22 22 3b 66 3d 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 3b 6b 3d 64 28 22 32 38 38 33 34 22 29 3b 6d 3d 64 28 22 36 30 58 67 59 74 44 51 44 36 6d 38 78 63 38 50 32 59 6d 57 75 41 4d 22 29 3b 76 61 72 20 6c 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63
                                                                                                  Data Ascii: if(!R){R={};for(var k=0;k<Kb.length;k++){var m=Kb[k];R[m]=!0}}if(f=!!R[f])c=Mb,d=Ob;if(d){d=encodeURIComponent;if(g.rp){var n=g.rp();n="-1"!=n?n:""}else n="";f=(new Date).getTime();k=d("28834");m=d("60XgYtDQD6m8xc8P2YmWuAM");var l=g.bv.f,q=d("1");n=d(n);c
                                                                                                  2022-07-26 19:52:11 UTC33INData Raw: 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 2c 22 32 37 22 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 7d 2c 5a 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 28 61 3d 59 62 5b 61 5d 29 7c 7c 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 7d 2c 0a 24 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 56 62 29 3b 70 28 22 73 70 70 22 2c 58 62 29 3b 70 28 22 73 70 73 22 2c 57 62 29 3b 70 28 22 73 70 64 22 2c
                                                                                                  Data Ascii: /default-user=s24","27":"https://lh3.googleusercontent.com/ogw/default-user=s24"},Zb=function(a){return(a=Yb[a])||"https://lh3.googleusercontent.com/ogw/default-user=s24"},$b=function(){B(function(){g.spd()})};p("spn",Vb);p("spp",Xb);p("sps",Wb);p("spd",
                                                                                                  2022-07-26 19:52:11 UTC34INData Raw: 72 28 64 2c 22 75 70 22 2c 22 74 70 22 29 7d 7d 7d 63 61 74 63 68 28 64 29 7b 72 28 64 2c 22 75 70 22 2c 22 6d 74 70 22 29 7d 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 59 28 5b 32 5d 2c 22 73 73 70 22 29 29 7b 76 61 72 20 62 3d 21 62 63 5b 61 5d 3b 54 26 26 28 62 3d 62 26 26 21 21 54 5b 61 5d 29 3b 72 65 74 75 72 6e 20 62 7d 7d 3b 63 63 3d 21 31 3b 53 3d 7b 7d 3b 62 63 3d 7b 7d 3b 54 3d 6e 75 6c 6c 3b 58 3d 31 3b 0a 76 61 72 20 6a 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 21 31 3b 74 72 79 7b 62 3d 61 2e 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 6b 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75
                                                                                                  Data Ascii: r(d,"up","tp")}}}catch(d){r(d,"up","mtp")}},ec=function(a){if(Y([2],"ssp")){var b=!bc[a];T&&(b=b&&!!T[a]);return b}};cc=!1;S={};bc={};T=null;X=1;var jc=function(a){var b=!1;try{b=a.cookie&&a.cookie.match("PREF")}catch(c){}return!b},kc=function(){try{retu
                                                                                                  2022-07-26 19:52:11 UTC36INData Raw: 61 70 3a 67 63 2c 61 6f 70 3a 68 63 2c 74 70 3a 69 63 2c 73 73 70 3a 65 63 2c 73 70 64 3a 6d 63 2c 67 70 64 3a 6e 63 2c 61 65 68 3a 6f 63 2c 61 61 6c 3a 70 63 2c 67 63 63 3a 71 63 7d 29 3b 76 61 72 20 5a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64
                                                                                                  Data Ascii: ap:gc,aop:hc,tp:ic,ssp:ec,spd:mc,gpd:nc,aeh:oc,aal:pc,gcc:qc});var Z=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld
                                                                                                  2022-07-26 19:52:11 UTC37INData Raw: 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53
                                                                                                  Data Ascii: right The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=window.gbar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. S
                                                                                                  2022-07-26 19:52:11 UTC38INData Raw: 2c 65 73 72 3a 65 28 22 30 2e 31 22 29 2c 65 76 74 73 3a 5b 22 6d 6f 75 73 65 64 6f 77 6e 22 2c 22 74 6f 75 63 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 36 30 37 2e 31 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 64 65 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65
                                                                                                  Data Ascii: ,esr:e("0.1"),evts:["mousedown","touchstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20220607.1_p0",hd:"com",hl:"de",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.exe
                                                                                                  2022-07-26 19:52:11 UTC40INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 53 75 63 68 65 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 64 65 2f 69 6d 67 68 70 3f 68 6c 3d 64 65 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 42 69 6c 64 65 72 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65
                                                                                                  Data Ascii: ></span><span class=gbts>Suche</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.de/imghp?hl=de&tab=wi"><span class=gbtb2></span><span class=gbts>Bilder</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="https://maps.google
                                                                                                  2022-07-26 19:52:11 UTC41INData Raw: 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 66 44 46 72 55 61 53 6d 42 76 53 61 58 55 6c 69 51 49 66 61 58 67 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 7a 74 6d 3e 3c 64 69 76 20 69 64 3d 67 62 6d 6d 62 20 63 6c 61 73 73 3d 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73
                                                                                                  Data Ascii: /a><script nonce='fDFrUaSmBvSaXUliQIfaXg'>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class
                                                                                                  2022-07-26 19:52:11 UTC42INData Raw: 74 6c 2f 64 65 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73 73 3d 67 62 6d 74 3e 4e 6f 63 68 20 6d 65 68 72 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 66 44 46 72 55 61 53 6d 42 76 53 61 58 55 6c 69 51 49 66 61 58 67 27 3e 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 6c 69 20 3e 20 61 2e 67 62 6d 74 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74
                                                                                                  Data Ascii: tl/de/about/products?tab=wh" class=gbmt>Noch mehr &raquo;</a><script nonce='fDFrUaSmBvSaXUliQIfaXg'>document.querySelector('li > a.gbmt').addEventListener('click', function clickHandler() { gbar.logger.il(1,{t:66});; });</script></li></ol><div class=gbsbt
                                                                                                  2022-07-26 19:52:11 UTC43INData Raw: 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 70 20 67 62 6d 74 63 22 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 64 65 2f 68 69 73 74 6f 72 79 2f 6f 70 74 6f 75 74 3f 68 6c 3d 64 65 22 3e 57 65 62 70 72 6f 74 6f 6b 6f 6c 6c 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 33 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 66 44 46 72 55 61 53 6d 42 76 53 61 58 55 6c 69 51 49 66 61 58 67 27 3e 77 69
                                                                                                  Data Ascii: class="gbmt gbmh"></div></li><li class="gbkp gbmtc"><a class=gbmt href="http://www.google.de/history/optout?hl=de">Webprotokoll</a></li></ol></div></div></li></ol></div></div><div id=gbx3></div><div id=gbx4></div><script nonce='fDFrUaSmBvSaXUliQIfaXg'>wi
                                                                                                  2022-07-26 19:52:11 UTC45INData Raw: 72 3a 23 30 30 30 22 20 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3d 22 6f 66 66 22 20 76 61 6c 75 65 3d 22 22 20 74 69 74 6c 65 3d 22 47 6f 6f 67 6c 65 20 53 75 63 68 65 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 75 63 68 65 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64
                                                                                                  Data Ascii: r:#000" autocomplete="off" value="" title="Google Suche" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Suche" name="btnG" type="submit"></span></span><span class="d
                                                                                                  2022-07-26 19:52:11 UTC46INData Raw: 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20 69 64 3d 22 67 61 63 5f 73 63 6f 6e 74 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 33 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 33 2e 35 65 6d 22 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 3c 64 69 76
                                                                                                  Data Ascii: ")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div
                                                                                                  2022-07-26 19:52:11 UTC47INData Raw: 6f 67 6c 65 2e 78 6a 73 3d 7b 63 6b 3a 27 78 6a 73 2e 68 70 2e 77 6d 41 44 68 50 41 49 6c 69 77 2e 4c 2e 58 2e 4f 27 2c 63 73 3a 27 41 43 54 39 30 6f 46 6c 78 67 62 76 56 42 4b 69 51 78 70 54 6d 4a 73 47 4d 49 70 6e 77 79 38 59 65 41 27 2c 65 78 63 6d 3a 5b 5d 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 66 44 46 72 55 61 53 6d 42 76 53 61 58 55 6c 69 51 49 66 61 58 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 75 3d 27 2f 78 6a 73 2f 5f 2f 6a 73 2f 6b 5c 78 33 64 78 6a 73 2e 68 70 2e 65 6e 2e 45 64 2d 6e 4d 73 6a 61 37 64 63 2e 4f 2f 61 6d 5c 78 33 64 41 4d 41 54 41 49 41 45 41 45 67 2f 64 5c 78 33 64 31 2f 65 64 5c 78 33 64 31 2f 72 73 5c 78 33 64 41 43 54 39 30 6f 45 71 59 63 78 37 44 65
                                                                                                  Data Ascii: ogle.xjs={ck:'xjs.hp.wmADhPAIliw.L.X.O',cs:'ACT90oFlxgbvVBKiQxpTmJsGMIpnwy8YeA',excm:[]};})();</script> <script nonce="fDFrUaSmBvSaXUliQIfaXg">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.Ed-nMsja7dc.O/am\x3dAMATAIAEAEg/d\x3d1/ed\x3d1/rs\x3dACT90oEqYcx7De
                                                                                                  2022-07-26 19:52:11 UTC48INData Raw: 2e 70 73 61 3d 21 30 7d 3b 67 6f 6f 67 6c 65 2e 78 6a 73 75 3d 75 3b 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6e 28 29 7d 2c 30 29 3b 7d 29 28 29 3b 66 75 6e 63 74 69 6f 6e 20 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 65 3b 7d 0a 66 75 6e 63 74 69 6f 6e 20 5f 46 5f 69 6e 73 74 61 6c 6c 43 73 73 28 63 29 7b 7d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 6a 6c 3d 7b 61 74 74 6e 3a 66 61 6c 73 65 2c 62 6c 74 3a 27 6e 6f 6e 65 27 2c 63 68 6e 6b 3a 30 2c 64 77 3a 66 61 6c 73 65 2c 64 77 75 3a 74 72 75 65 2c 65 6d 74 6e 3a 30 2c 65 6e 64 3a 30 2c 69 6e 65 3a 66 61 6c 73 65 2c 69 6e 6a 73 3a 27 6e 6f 6e 65 27 2c 69 6e 6a 74 3a 30 2c 69 6e 6a 74 68 3a 30 2c 69 6e 6a 76 32 3a 66 61 6c 73 65 2c
                                                                                                  Data Ascii: .psa=!0};google.xjsu=u;setTimeout(function(){n()},0);})();function _DumpException(e){throw e;}function _F_installCss(c){}(function(){google.jl={attn:false,blt:'none',chnk:0,dw:false,dwu:true,emtn:0,end:0,ine:false,injs:'none',injt:0,injth:0,injv2:false,
                                                                                                  2022-07-26 19:52:11 UTC50INData Raw: 32 32 3a 66 61 6c 73 65 7d 7d 27 3b 67 6f 6f 67 6c 65 2e 70 6d 63 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 70 6d 63 29 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: 22:false}}';google.pmc=JSON.parse(pmc);})();</script> </body></html>
                                                                                                  2022-07-26 19:52:11 UTC50INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.549765142.250.185.228443C:\Users\user\Desktop\D6GEVBNNH11111.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2022-07-26 19:52:29 UTC50OUTGET / HTTP/1.1
                                                                                                  Host: www.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2022-07-26 19:52:29 UTC50INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 26 Jul 2022 19:52:29 GMT
                                                                                                  Expires: -1
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  Content-Type: text/html; charset=ISO-8859-1
                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                  Server: gws
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Set-Cookie: AEC=AakniGPQGNTOXTn2U_dfUdlkgNz27QLxm6ype6mzSutvzm-aw4GaD4KAIBQ; expires=Sun, 22-Jan-2023 19:52:29 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: __Secure-ENID=6.SE=Gy_CFQfOKbc429rgImfYMiXgU-UJSjnZkhfkkxv_JDQ2UipYvpCD4N1jxm0LeZ9gMs8R_j3Lh0Yhk2hwGFooETRGiucrCiziTm9DJtJEL6poy_Y9pyPu3HSOoNBtTJ5mX2e6N1PdWWWAfOE1OQ4ocHY7jB4SvY9Tl7nkYrLxRHo; expires=Sat, 26-Aug-2023 12:10:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: CONSENT=PENDING+716; expires=Thu, 25-Jul-2024 19:52:29 GMT; path=/; domain=.google.com; Secure
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                  Accept-Ranges: none
                                                                                                  Vary: Accept-Encoding
                                                                                                  Connection: close
                                                                                                  Transfer-Encoding: chunked
                                                                                                  2022-07-26 19:52:29 UTC51INData Raw: 35 38 62 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e
                                                                                                  Data Ascii: 58b3<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="de"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta conten
                                                                                                  2022-07-26 19:52:29 UTC51INData Raw: 74 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 32 2f 63 65 6c 65 62 72 61 74 69 6e 67 2d 73 74 65 65 6c 70 61 6e 2d 36 37 35 33 36 35 31 38 33 37 31 30 38 34 36 37 2e 34 2d 6c 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 57 69 72 20 66 65 69 65 72 6e 20 64 69 65 20 53 74 65 65 6c 20 50 61 6e 22 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 57 69 72 20 66 65 69 65 72 6e 20 64 69 65 20 53 74 65 65 6c 20 50 61 6e 21 20 23 47 6f 6f 67 6c 65 44 6f 6f 64 6c 65 22 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22
                                                                                                  Data Ascii: t="/logos/doodles/2022/celebrating-steelpan-6753651837108467.4-l.png" itemprop="image"><meta content="Wir feiern die Steel Pan" property="twitter:title"><meta content="Wir feiern die Steel Pan! #GoogleDoodle" property="twitter:description"><meta content="
                                                                                                  2022-07-26 19:52:29 UTC52INData Raw: 30 31 2c 33 35 31 34 2c 36 30 36 2c 32 30 32 33 2c 31 37 37 37 2c 35 32 30 2c 36 33 34 34 2c 38 33 32 36 2c 33 32 32 37 2c 32 38 34 35 2c 37 2c 35 35 39 39 2c 32 38 31 37 31 2c 31 38 35 31 2c 36 33 39 38 2c 39 33 35 38 2c 31 2c 32 2c 33 34 36 2c 32 33 30 2c 36 31 38 32 2c 32 37 37 2c 31 34 39 2c 31 33 39 37 35 2c 34 2c 31 35 32 38 2c 32 33 30 34 2c 37 30 33 39 2c 32 30 33 30 39 2c 34 37 36 34 2c 32 36 35 38 2c 37 33 35 36 2c 31 33 36 35 39 2c 34 34 33 37 2c 31 36 37 38 36 2c 35 38 32 31 2c 32 35 33 36 2c 34 30 39 32 2c 32 2c 34 30 35 32 2c 33 2c 33 35 34 31 2c 31 2c 34 32 31 35 34 2c 32 2c 31 34 30 32 32 2c 31 34 31 31 36 2c 31 31 36 32 33 2c 35 36 37 39 2c 31 30 32 31 2c 32 33 37 39 2c 32 30 39 36 32 2c 32 2c 31 2c 39 2c 37 37 36 38 2c 34 35 36 39 2c 36
                                                                                                  Data Ascii: 01,3514,606,2023,1777,520,6344,8326,3227,2845,7,5599,28171,1851,6398,9358,1,2,346,230,6182,277,149,13975,4,1528,2304,7039,20309,4764,2658,7356,13659,4437,16786,5821,2536,4092,2,4052,3,3541,1,42154,2,14022,14116,11623,5679,1021,2379,20962,2,1,9,7768,4569,6
                                                                                                  2022-07-26 19:52:29 UTC54INData Raw: 3d 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 26 26 22 73 6c 68 22 21 3d 3d 61 26 26 28 64 3d 22 26 63 73 68 69 64 3d 22 2b 66 2e 5f 63 73 68 69 64 29 3b 63 3d 63 7c 7c 22 2f 22 2b 28 67 7c 7c 22 67 65 6e 5f 32 30 34 22 29 2b 22 3f 61 74 79 70 3d 69 26 63 74 3d 22 2b 61 2b 22 26 63 61 64 3d 22 2b 62 2b 65 2b 22 26 7a 78 3d 22 2b 44 61 74 65 2e 6e 6f 77 28 29 2b 64 3b 2f 5e 68 74 74 70 3a 2f 69 2e 74 65 73 74 28 63 29 26 26 22 68 74 74 70 73 3a 22 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 63 2c 67 6c 6d 6d 3a 31 7d 29 2c 63 3d 22 22 29 3b 72 65 74 75 72 6e 20 63 7d 3b 68 3d
                                                                                                  Data Ascii: ==b.search("&cshid=")&&"slh"!==a&&(d="&cshid="+f._cshid);c=c||"/"+(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+"&zx="+Date.now()+d;/^http:/i.test(c)&&"https:"===window.location.protocol&&(google.ml&&google.ml(Error("a"),!1,{src:c,glmm:1}),c="");return c};h=
                                                                                                  2022-07-26 19:52:29 UTC55INData Raw: 6c 65 6d 65 6e 74 3b 61 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 69 66 28 22 41 22 3d 3d 3d 61 2e 74 61 67 4e 61 6d 65 29 7b 61 3d 22 31 22 3d 3d 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 68 72 65 66 22 29 3b 62 72 65 61 6b 20 61 7d 61 3d 21 31 7d 61 26 26 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 7d 2c 21 30 29 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 74 79 6c 65 3e 23 67 62 7b 66 6f 6e 74 3a 31 33 70 78 2f 32 37 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b 68
                                                                                                  Data Ascii: lement;a=a.parentElement)if("A"===a.tagName){a="1"===a.getAttribute("data-nohref");break a}a=!1}a&&b.preventDefault()},!0);}).call(this);</script><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;h
                                                                                                  2022-07-26 19:52:29 UTC56INData Raw: 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 74 6f 20 2e 67 62 6d 2c 2e 67 62 74 6f 20 23 67 62 73 7b 74 6f 70 3a 32 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23 67 62 7a 20 2e 67 62 6d 7b 6c 65 66 74 3a 30 7d 23 67 62 67 20 2e 67 62 6d 7b 72 69 67 68 74 3a 30 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 70 78 3b 66
                                                                                                  Data Ascii: px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:visible}#gbz .gbm{left:0}#gbg .gbm{right:0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;f
                                                                                                  2022-07-26 19:52:29 UTC57INData Raw: 62 74 73 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 7a 74 20 2e 67 62 74 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 6f 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 62 65 62
                                                                                                  Data Ascii: bts{border-left:1px solid transparent;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#beb
                                                                                                  2022-07-26 19:52:29 UTC59INData Raw: 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62 6d 70 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20
                                                                                                  Data Ascii: 29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0
                                                                                                  2022-07-26 19:52:29 UTC60INData Raw: 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 70 6d 20 2e 67 62 6d 6c 31 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 6c 62 77 7b 63 6f 6c 6f 72 3a 23 63 63 63 3b 6d 61 72 67 69 6e 3a 30 20 31
                                                                                                  Data Ascii: line:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 1
                                                                                                  2022-07-26 19:52:29 UTC61INData Raw: 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 70 63 20 2e 67 62 70 73 2c 2e 67 62 70 63 20 2e 67 62 70 73 32 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 23 67 62 6d 70 6c 70 2e 67 62 70 73 7b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 70 63 20 2e 67 62 70 64 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 7d 2e 67 62 70 64 20 2e 67 62 6d 74 2c 2e 67 62 70 64 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 36 36 36 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 20 2e 67 62 6d 74 7b 6f 70 61 63 69 74 79 3a 2e 34 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 34 30 29 7d 2e
                                                                                                  Data Ascii: ay:inline}.gbpc .gbps,.gbpc .gbps2{display:block;margin:0 20px}#gbmplp.gbps{margin:0 10px}.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)}.
                                                                                                  2022-07-26 19:52:29 UTC63INData Raw: 31 30 70 78 20 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 0a 2e 67 62 71 66 62 2c 2e 67 62 71 66 62 61 2c 2e 67 62 71 66 62 62 7b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 20 21 69 6d 70 6f 72 74 61 6e 74 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 39 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 35 34 70 78 3b 2a 6d 69 6e 2d 77 69 64 74 68 3a 37 30 70 78 3b 70 61 64 64 69 6e 67 3a 30 20 38 70 78 3b
                                                                                                  Data Ascii: 10px 0;vertical-align:top}.gbqfb,.gbqfba,.gbqfbb{-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;cursor:default !important;display:inline-block;font-weight:bold;height:29px;line-height:29px;min-width:54px;*min-width:70px;padding:0 8px;
                                                                                                  2022-07-26 19:52:29 UTC64INData Raw: 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 64 39 30 66 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 34 64 39 30 66 65 29 2c 74 6f 28 23 34 37 38 37 65 64 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e
                                                                                                  Data Ascii: ground-color:#4d90fe;background-image:-webkit-gradient(linear,left top,left bottom,from(#4d90fe),to(#4787ed));background-image:-webkit-linear-gradient(top,#4d90fe,#4787ed);background-image:-moz-linear-gradient(top,#4d90fe,#4787ed);background-image:-ms-lin
                                                                                                  2022-07-26 19:52:29 UTC65INData Raw: 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 35 66 35 66 35 29 2c 74 6f 28 23 66 31 66 31 66 31 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69
                                                                                                  Data Ascii: gradient(linear,left top,left bottom,from(#f5f5f5),to(#f1f1f1));background-image:-webkit-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-moz-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-ms-linear-gradient(top,#f5f5f5,#f1f1f1);background-i
                                                                                                  2022-07-26 19:52:29 UTC66INData Raw: 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c
                                                                                                  Data Ascii: (top,#fff,#fbfbfb);background-image:linear-gradient(top,#fff,#fbfbfb);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:-webkit-gradient(l
                                                                                                  2022-07-26 19:52:29 UTC68INData Raw: 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c
                                                                                                  Data Ascii: p,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;left:0;position:absol
                                                                                                  2022-07-26 19:52:29 UTC69INData Raw: 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30
                                                                                                  Data Ascii: ,0,.2),rgba(0,0,0,0));background-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;border-color:rgba(0
                                                                                                  2022-07-26 19:52:29 UTC70INData Raw: 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6c 41 56 42 49 34 71 6e 50 67 54 6a 6e 5a 41 7a 32 31 79 4d 65 67 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 32 35 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 67 2c 68 3d 6e 75 6c 6c 21 3d 28 67 3d 66 2e 6d 65 69 29 3f 67 3a 31 2c 6d 2c 6e 3d 6e 75 6c 6c 21 3d 28 6d 3d 66 2e 73 64 6f 29 3f 6d 3a 21 30 2c 70 3d 30 2c 71 2c 72 3d 67 6f 6f 67 6c 65 2e 65 72 64 2c 75 3d 72 2e 6a 73 72 3b 67
                                                                                                  Data Ascii: .lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="lAVBI4qnPgTjnZAz21yMeg">(function(){window.google.erd={jsr:1,bv:1625,de:true};var f=this||self;var g,h=null!=(g=f.mei)?g:1,m,n=null!=(m=f.sdo)?m:!0,p=0,q,r=google.erd,u=r.jsr;g
                                                                                                  2022-07-26 19:52:29 UTC71INData Raw: 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 71 3d 6e 75 6c 6c 3b 6e 26 26 70 3e 3d 68 26 26 28 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 29 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65
                                                                                                  Data Ascii: .ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));q=null;n&&p>=h&&(window.onerror=null)};})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifie
                                                                                                  2022-07-26 19:52:29 UTC73INData Raw: 76 61 72 20 76 3d 7b 7d 2c 6c 61 3d 7b 7d 2c 77 3d 5b 5d 2c 6d 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6e 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 77 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 70 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 5b 61 5d 3d 62 7d 2c 71 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 20 69 6e 20 76 7d 2c 78 3d 7b 7d 2c 41 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 5b 61 5d 7c 7c 28 78 5b 61 5d 3d 5b 5d 29 3b 78 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 42 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 6d 22 2c 61 29 7d 2c 72 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65
                                                                                                  Data Ascii: var v={},la={},w=[],ma=h.b("0.1",.1),na=h.a("1",!0),oa=function(a,b){w.push([a,b])},pa=function(a,b){v[a]=b},qa=function(a){return a in v},x={},A=function(a,b){x[a]||(x[a]=[]);x[a].push(b)},B=function(a){A("m",a)},ra=function(a,b){var c=document.createEle
                                                                                                  2022-07-26 19:52:29 UTC73INData Raw: 64 65 0d 0a 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 28 63 3d 77 5b 62 5d 29 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 0d 0a
                                                                                                  Data Ascii: dename="+(b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},D=function(a){for(var b=0,c;(c=w[b])&&c[0]!=a;++b);!c||
                                                                                                  2022-07-26 19:52:29 UTC73INData Raw: 36 61 61 63 0d 0a 63 5b 31 5d 2e 6c 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22
                                                                                                  Data Ascii: 6aacc[1].l||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("
                                                                                                  2022-07-26 19:52:29 UTC75INData Raw: 61 2c 68 6c 3a 22 64 65 22 7d 3b 76 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47 61 3d 30 3b 0a 66 75 6e 63 74 69 6f 6e 20 5f 6d 6c 54 6f 6b 65 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74
                                                                                                  Data Ascii: a,hl:"de"};v.gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),Ga=0;function _mlToken(a,b){try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Dat
                                                                                                  2022-07-26 19:52:29 UTC76INData Raw: 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4b 28 61 2c 62 29 3a 4a 28 61 2c 62 29 7d 2c 4e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 2c 4f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 0a 5b 4c 61 3f 22 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 68 79 6a 56 6d 61 75 61 37 79 41 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 32 59 6d 4e 78 6b 6f 64 75 52 48 6c
                                                                                                  Data Ascii: (a,b){H(a,b)?K(a,b):J(a,b)},Na=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}},Oa=function(a){a=[La?"":"https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.hyjVmaua7yA.O","/rt=j/m=",a,"/rs=","AA2YrTv2YmNxkoduRHl
                                                                                                  2022-07-26 19:52:29 UTC77INData Raw: 74 65 28 22 61 72 69 61 2d 6f 77 6e 73 22 29 3b 69 66 28 64 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 66 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 64 29 3b 69 66 28 66 29 7b 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4f 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e
                                                                                                  Data Ascii: te("aria-owns");if(d.length){var f=document.getElementById(d);if(f){var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto");else{if(O){var m=document.getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElemen
                                                                                                  2022-07-26 19:52:29 UTC78INData Raw: 29 7c 7c 28 6c 3d 64 29 7d 62 72 65 61 6b 7d 30 3c 64 26 26 64 2b 31 3c 6e 26 26 64 2b 2b 7d 69 66 28 30 3c 3d 6c 29 7b 76 61 72 20 79 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63
                                                                                                  Data Ascii: )||(l=d)}break}0<d&&d+1<n&&d++}if(0<=l){var y=document.createElement("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catc
                                                                                                  2022-07-26 19:52:29 UTC80INData Raw: 74 43 6f 6e 74 65 6e 74 3d 22 22 3b 62 3d 62 2e 73 70 6c 69 74 28 63 29 3b 63 3d 30 3b 66 6f 72 28 76 61 72 20 66 3b 66 3d 62 5b 63 5d 3b 63 2b 2b 29 7b 76 61 72 20 6b 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 0a 6b 2e 69 6e 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 51 28 61 2c 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f
                                                                                                  Data Ascii: tContent="";b=b.split(c);c=0;for(var f;f=b[c];c++){var k=document.createElement("div");k.innerHTML=f;d.appendChild(k)}}else d.innerHTML=b;Q(a,!0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},$a=function(a){for(var b=0,c;c=a.childNo
                                                                                                  2022-07-26 19:52:29 UTC81INData Raw: 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 6c 69 62 73 3a 22 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6c 69 65 6e 74 3a 67 61 70 69 2e 69 66 72 61 6d 65 73 22 7d 5d 29 3b 76 61 72 20 42 62 3d 7b 76 65 72 73 69 6f 6e 3a 22 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 64 65 22 7d 3b 76 2e 67 63 3d 42 62 3b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28
                                                                                                  Data Ascii: 787dcc2a4062e6e9824.js",libs:"googleapis.client:gapi.iframes"}]);var Bb={version:"gci_91f30755d6a6b787dcc2a4062e6e9824.js",index:"",lang:"de"};v.gc=Bb;var Cb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Cb);h.a("1")&&p(
                                                                                                  2022-07-26 19:52:29 UTC82INData Raw: 21 3d 6e 3f 6e 3a 22 22 7d 65 6c 73 65 20 6e 3d 22 22 3b 66 3d 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 3b 6b 3d 64 28 22 32 38 38 33 34 22 29 3b 6d 3d 64 28 22 5f 55 58 67 59 74 6a 6b 4a 4a 6d 44 78 63 38 50 6e 74 73 37 22 29 3b 76 61 72 20 6c 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 45 3d 64 28 22 34 36 31 35 31 31 30 38 39 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 36 30 37 2e 31 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 64 65 22 29 2c 57 3d 0a 64 28 22 44 45 55 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68
                                                                                                  Data Ascii: !=n?n:""}else n="";f=(new Date).getTime();k=d("28834");m=d("_UXgYtjkJJmDxc8Pnts7");var l=g.bv.f,q=d("1");n=d(n);c=Math.round(1/c);var E=d("461511089.0"),U="&oggv="+d("es_plusone_gc_20220607.1_p0"),I=d("com"),V=d("de"),W=d("DEU");var y=0;h.a("")&&(y|=1);h
                                                                                                  2022-07-26 19:52:29 UTC84INData Raw: 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 7d 2c 0a 24 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 56 62 29 3b 70 28 22 73 70 70 22 2c 58 62 29 3b 70 28 22 73 70 73 22 2c 57 62 29 3b 70 28 22 73 70 64 22 2c 24 62 29 3b 70 28 22 70 61 61 22 2c 54 62 29 3b 70 28 22 70 72 6d 22 2c 55 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 55 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 61 63 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73
                                                                                                  Data Ascii: nt.com/ogw/default-user=s24"},$b=function(){B(function(){g.spd()})};p("spn",Vb);p("spp",Xb);p("sps",Wb);p("spd",$b);p("paa",Tb);p("prm",Ub);mb("gbd4",Ub);if(h.a("")){var ac={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-us
                                                                                                  2022-07-26 19:52:29 UTC85INData Raw: 3d 31 3b 0a 76 61 72 20 6a 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 21 31 3b 74 72 79 7b 62 3d 61 2e 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 6b 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f
                                                                                                  Data Ascii: =1;var jc=function(a){var b=!1;try{b=a.cookie&&a.cookie.match("PREF")}catch(c){}return!b},kc=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},lc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeo
                                                                                                  2022-07-26 19:52:29 UTC86INData Raw: 28 74 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 64 65 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 72 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73
                                                                                                  Data Ascii: (this,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"de",prid:"1"});function rc(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs
                                                                                                  2022-07-26 19:52:29 UTC87INData Raw: 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d
                                                                                                  Data Ascii: ogger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=
                                                                                                  2022-07-26 19:52:29 UTC89INData Raw: 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67
                                                                                                  Data Ascii: "),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.execScript||k.execScript("var "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g
                                                                                                  2022-07-26 19:52:29 UTC90INData Raw: 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 42 69 6c 64 65 72 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 64 65 2f 6d 61 70 73 3f 68 6c 3d 64 65 26 74 61 62 3d 77 6c 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67
                                                                                                  Data Ascii: b2></span><span class=gbts>Bilder</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="https://maps.google.de/maps?hl=de&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.goog
                                                                                                  2022-07-26 19:52:29 UTC91INData Raw: 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 7a 74 6d 3e 3c 64 69 76 20 69 64 3d 67 62 6d 6d 62 20 63 6c 61 73 73 3d 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73 3d 22 67 62 6d 63 63 20 67 62 73 62 69 63 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 4b 61 6c 65 6e 64 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61
                                                                                                  Data Ascii: ); });</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Kalender</a></li><li class=gbmtc><a cla
                                                                                                  2022-07-26 19:52:29 UTC92INData Raw: 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 62 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e
                                                                                                  Data Ascii: tListener('click', function clickHandler() { gbar.logger.il(1,{t:66});; });</script></li></ol><div class=gbsbt></div><div class=gbsbb></div></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc>
                                                                                                  2022-07-26 19:52:29 UTC94INData Raw: 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 33 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 6c 41 56 42 49 34 71 6e 50 67 54 6a 6e 5a 41 7a 32 31 79 4d 65 67 27 3e 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 70 26 26 67 62 61 72 2e 65 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 61 72 63 68 3f 69 65 3d 55 54 46 2d 38 26 61 6d 70 3b 71 3d 53 74 65 65 6c 2b 50 61 6e 26 61 6d 70
                                                                                                  Data Ascii: iv></div></li></ol></div></div><div id=gbx3></div><div id=gbx4></div><script nonce='lAVBI4qnPgTjnZAz21yMeg'>window.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><a href="/search?ie=UTF-8&amp;q=Steel+Pan&amp
                                                                                                  2022-07-26 19:52:29 UTC95INData Raw: 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 75 63 68 65 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 69 64 3d 22 74 73 75 69 64 31 22 20 76 61 6c 75 65 3d 22 41 75 66 20 67 75 74 20 47 6c fc 63 6b 21 22 20 6e 61 6d 65 3d 22 62 74 6e 49 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6c 41 56 42 49 34 71 6e 50 67 54 6a 6e 5a 41 7a 32 31 79 4d 65 67 22 3e 28 66 75 6e
                                                                                                  Data Ascii: an class="lsbb"><input class="lsb" value="Google Suche" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid1" value="Auf gut Glck!" name="btnI" type="submit"><script nonce="lAVBI4qnPgTjnZAz21yMeg">(fun
                                                                                                  2022-07-26 19:52:29 UTC96INData Raw: 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20 69 64 3d 22 67 61 63 5f 73 63 6f 6e 74 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 33 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 33 2e 35 65 6d 22 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 74 22 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 31 39 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 22 20 69 64 3d 22 57 71 51 41 4e 62 22 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 64 65 2f 61 64 73 2f 22 3e 57 65 72 62 65 6e 20 6d 69 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 72 76 69 63
                                                                                                  Data Ascii: ></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/de/ads/">Werben mit Google</a><a href="/servic
                                                                                                  2022-07-26 19:52:29 UTC98INData Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 75 3d 27 2f 78 6a 73 2f 5f 2f 6a 73 2f 6b 5c 78 33 64 78 6a 73 2e 68 70 2e 65 6e 2e 45 64 2d 6e 4d 73 6a 61 37 64 63 2e 4f 2f 61 6d 5c 78 33 64 41 4d 41 54 41 49 41 45 41 45 67 2f 64 5c 78 33 64 31 2f 65 64 5c 78 33 64 31 2f 72 73 5c 78 33 64 41 43 54 39 30 6f 45 71 59 63 78 37 44 65 5a 6e 41 7a 68 7a 75 36 45 6b 48 42 49 66 4e 42 2d 67 78 67 2f 6d 5c 78 33 64 73 62 5f 68 65 2c 64 27 3b 0a 76 61 72 20 64 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 76 61 72 20 67 3b 76 61 72 20 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 67 3d 62 3d 3d 3d 68 3f 61 3a 22 22 7d 3b 6c 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66
                                                                                                  Data Ascii: function(){var u='/xjs/_/js/k\x3dxjs.hp.en.Ed-nMsja7dc.O/am\x3dAMATAIAEAEg/d\x3d1/ed\x3d1/rs\x3dACT90oEqYcx7DeZnAzhzu6EkHBIfNB-gxg/m\x3dsb_he,d';var d=this||self,e=function(a){return a};var g;var l=function(a,b){this.g=b===h?a:""};l.prototype.toString=f
                                                                                                  2022-07-26 19:52:29 UTC99INData Raw: 7b 61 74 74 6e 3a 66 61 6c 73 65 2c 62 6c 74 3a 27 6e 6f 6e 65 27 2c 63 68 6e 6b 3a 30 2c 64 77 3a 66 61 6c 73 65 2c 64 77 75 3a 74 72 75 65 2c 65 6d 74 6e 3a 30 2c 65 6e 64 3a 30 2c 69 6e 65 3a 66 61 6c 73 65 2c 69 6e 6a 73 3a 27 6e 6f 6e 65 27 2c 69 6e 6a 74 3a 30 2c 69 6e 6a 74 68 3a 30 2c 69 6e 6a 76 32 3a 66 61 6c 73 65 2c 6c 6c 73 3a 27 64 65 66 61 75 6c 74 27 2c 70 64 74 3a 30 2c 72 65 70 3a 30 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 64 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 73 62 5f 68 65 5c 78 32 32 3a 7b 5c 78 32 32 61 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 67 65 6e 5c
                                                                                                  Data Ascii: {attn:false,blt:'none',chnk:0,dw:false,dwu:true,emtn:0,end:0,ine:false,injs:'none',injt:0,injth:0,injv2:false,lls:'default',pdt:0,rep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\
                                                                                                  2022-07-26 19:52:29 UTC100INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:21:52:08
                                                                                                  Start date:26/07/2022
                                                                                                  Path:C:\Users\user\Desktop\D6GEVBNNH11111.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\D6GEVBNNH11111.exe"
                                                                                                  Imagebase:0xb20000
                                                                                                  File size:640512 bytes
                                                                                                  MD5 hash:9CEF8265C679BAFB06F885678CEAB7BD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.456920390.000000000491D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.456920390.000000000491D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.456040536.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.456040536.0000000004817000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:21:52:26
                                                                                                  Start date:26/07/2022
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\geater.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\geater.exe"
                                                                                                  Imagebase:0xb20000
                                                                                                  File size:640512 bytes
                                                                                                  MD5 hash:9CEF8265C679BAFB06F885678CEAB7BD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.668565825.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.668565825.00000000046A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.667459782.000000000464C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.667459782.000000000464C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.671650352.00000000047AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.671650352.00000000047AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:21:53:19
                                                                                                  Start date:26/07/2022
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                  Imagebase:0x760000
                                                                                                  File size:41064 bytes
                                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.561341870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.561888828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.682815690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.682815690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.562345029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.562345029.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.560518912.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.560518912.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.686918576.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:7.9%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:3
                                                                                                    Total number of Limit Nodes:0
                                                                                                    execution_graph 20278 d84e2e0 20279 d84e326 DeleteFileW 20278->20279 20281 d84e35f 20279->20281

                                                                                                    Executed Functions

                                                                                                    Function 02DF5268 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 2df5268-2df52d0 1 2df5323-2df532a 0->1 2 2df52d2-2df52d6 0->2 3 2df532c 1->3 4 2df5331-2df5345 1->4 2->1 3->4 5 2df5350-2df5369 4->5 7 2df5370-2df5378 5->7 8 2df5383-2df53e2 7->8 14 2df54df-2df5521 8->14 15 2df53e8 8->15 30 2df5528-2df552d 14->30 16 2df53ef-2df540b 15->16 18 2df540d 16->18 19 2df5414-2df5415 16->19 18->14 18->15 20 2df555f-2df5565 18->20 21 2df541a-2df543d 18->21 22 2df5541-2df555a 18->22 19->20 19->21 27 2df5447-2df545a 21->27 22->16 29 2df5465-2df54ac 27->29 36 2df54bf-2df54c6 29->36 37 2df54ae-2df54bd 29->37 32 2df5534-2df553c 30->32 38 2df54cd-2df54da 36->38 37->38 38->16
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$j
                                                                                                    • API String ID: 0-2640170749
                                                                                                    • Opcode ID: 24d61b6680794e7d23f2f04331eb069c01a9d19e1c67cf40bdddc3c614ef6b5a
                                                                                                    • Instruction ID: 4ff87a8656b36cc8bd5b4e35f526a787d8bbd2f72b574906d77b09da2e3efc69
                                                                                                    • Opcode Fuzzy Hash: 24d61b6680794e7d23f2f04331eb069c01a9d19e1c67cf40bdddc3c614ef6b5a
                                                                                                    • Instruction Fuzzy Hash: DA815B70E04219DFCB18DFA5D8946EEFBB2FF89304F1180AAD905AB755EB319942CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF52DB Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 39 2df52db-2df532a 41 2df532c 39->41 42 2df5331-2df5345 39->42 41->42 43 2df5350-2df5369 42->43 45 2df5370-2df5378 43->45 46 2df5383-2df53e2 45->46 52 2df54df-2df5521 46->52 53 2df53e8 46->53 68 2df5528-2df552d 52->68 54 2df53ef-2df540b 53->54 56 2df540d 54->56 57 2df5414-2df5415 54->57 56->52 56->53 58 2df555f-2df5565 56->58 59 2df541a-2df543d 56->59 60 2df5541-2df555a 56->60 57->58 57->59 65 2df5447-2df545a 59->65 60->54 67 2df5465-2df54ac 65->67 74 2df54bf-2df54c6 67->74 75 2df54ae-2df54bd 67->75 70 2df5534-2df553c 68->70 76 2df54cd-2df54da 74->76 75->76 76->54
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$j
                                                                                                    • API String ID: 0-2640170749
                                                                                                    • Opcode ID: b8bd2ff06fd13fee7c73f96ccbb36ab2cac7cb5a806e861249121c8a1860bd3b
                                                                                                    • Instruction ID: effd02b35d629bb8806875ca129ab20ea427eb33ac48c8573d4875031d0a0661
                                                                                                    • Opcode Fuzzy Hash: b8bd2ff06fd13fee7c73f96ccbb36ab2cac7cb5a806e861249121c8a1860bd3b
                                                                                                    • Instruction Fuzzy Hash: 36713874E04258DFCB08DFA9D894ADEBBF2FF89304F15806AD505AB755DB309942CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF680F Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 77 2df680f-2df685a 79 2df685c 77->79 80 2df6861-2df686f 77->80 79->80 81 2df6885 80->81 82 2df6871-2df6883 80->82 83 2df6888 81->83 82->83 84 2df688b 83->84 85 2df6892-2df68ae 84->85 86 2df68b7-2df68b8 85->86 87 2df68b0 85->87 90 2df68bd 86->90 95 2df6aa4 86->95 87->84 88 2df699f-2df69ae 87->88 89 2df696d-2df6970 87->89 87->90 91 2df68db-2df68e7 87->91 92 2df6a28-2df6a39 87->92 93 2df6947-2df6968 87->93 94 2df6a65-2df6a71 87->94 87->95 96 2df69b3-2df69cc 87->96 97 2df69d1-2df6a23 87->97 98 2df6910-2df6914 87->98 88->85 102 2df6978-2df6981 89->102 103 2df68c7-2df68d9 90->103 114 2df68fa-2df6901 91->114 115 2df68e9-2df68f8 91->115 112 2df6a4c-2df6a53 92->112 113 2df6a3b-2df6a4a 92->113 93->85 116 2df6a84-2df6a8b 94->116 117 2df6a73-2df6a82 94->117 101 2df6aae-2df6aaf 95->101 96->85 97->85 99 2df6927-2df692e 98->99 100 2df6916-2df6925 98->100 109 2df6935-2df6942 99->109 100->109 118 2df6988-2df699a 102->118 103->85 109->85 119 2df6a5a-2df6a60 112->119 113->119 120 2df6908-2df690e 114->120 115->120 121 2df6a92-2df6a9f 116->121 117->121 118->85 119->85 120->85 121->85
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$xPl
                                                                                                    • API String ID: 0-2545977913
                                                                                                    • Opcode ID: 0c72c8f3d2448c4ca42d4f01107d9850d9d31e6c7688417ad7e21821612ac676
                                                                                                    • Instruction ID: 375c42964b8103adc27abd94e9a4515b7b1043b5cb201e196010cce685a131e5
                                                                                                    • Opcode Fuzzy Hash: 0c72c8f3d2448c4ca42d4f01107d9850d9d31e6c7688417ad7e21821612ac676
                                                                                                    • Instruction Fuzzy Hash: C4617B70E15219DBDB44CFA4C9506EEBBB5FF89204F11886AC522AB784D734EA41CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF6838 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 125 2df6838-2df685a 126 2df685c 125->126 127 2df6861-2df686f 125->127 126->127 128 2df6885 127->128 129 2df6871-2df6883 127->129 130 2df6888 128->130 129->130 131 2df688b 130->131 132 2df6892-2df68ae 131->132 133 2df68b7-2df68b8 132->133 134 2df68b0 132->134 137 2df68bd 133->137 142 2df6aa4 133->142 134->131 135 2df699f-2df69ae 134->135 136 2df696d-2df6981 134->136 134->137 138 2df68db-2df68e7 134->138 139 2df6a28-2df6a39 134->139 140 2df6947-2df6968 134->140 141 2df6a65-2df6a71 134->141 134->142 143 2df69b3-2df69cc 134->143 144 2df69d1-2df6a23 134->144 145 2df6910-2df6914 134->145 135->132 165 2df6988-2df699a 136->165 150 2df68c7-2df68d9 137->150 161 2df68fa-2df6901 138->161 162 2df68e9-2df68f8 138->162 159 2df6a4c-2df6a53 139->159 160 2df6a3b-2df6a4a 139->160 140->132 163 2df6a84-2df6a8b 141->163 164 2df6a73-2df6a82 141->164 148 2df6aae-2df6aaf 142->148 143->132 144->132 146 2df6927-2df692e 145->146 147 2df6916-2df6925 145->147 156 2df6935-2df6942 146->156 147->156 150->132 156->132 166 2df6a5a-2df6a60 159->166 160->166 167 2df6908-2df690e 161->167 162->167 168 2df6a92-2df6a9f 163->168 164->168 165->132 166->132 167->132 168->132
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$xPl
                                                                                                    • API String ID: 0-2545977913
                                                                                                    • Opcode ID: b9970a92711f7ece347481c9bc979efbc5bee34fcf9417552132a37d8cb70d51
                                                                                                    • Instruction ID: 9bcaedc853e3021720ed6ac95a7cdec688c502134edc92df9f5d6d53f7fd72b5
                                                                                                    • Opcode Fuzzy Hash: b9970a92711f7ece347481c9bc979efbc5bee34fcf9417552132a37d8cb70d51
                                                                                                    • Instruction Fuzzy Hash: 4C715870E15219DFDB48CFA5C540AEEBBB5FF89204F11882EC522AB784D734AA41CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF5310 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 172 2df5310-2df532a 174 2df532c 172->174 175 2df5331-2df53e2 172->175 174->175 185 2df54df-2df552d 175->185 186 2df53e8 175->186 203 2df5534-2df553c 185->203 187 2df53ef-2df540b 186->187 189 2df540d 187->189 190 2df5414-2df5415 187->190 189->185 189->186 191 2df555f-2df5565 189->191 192 2df541a-2df545a 189->192 193 2df5541-2df555a 189->193 190->191 190->192 200 2df5465-2df54ac 192->200 193->187 207 2df54bf-2df54c6 200->207 208 2df54ae-2df54bd 200->208 209 2df54cd-2df54da 207->209 208->209 209->187
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$j
                                                                                                    • API String ID: 0-2640170749
                                                                                                    • Opcode ID: 816a2cda1bd4b63b62d786004809b83c32802a405b8a1b7a6155819de5b79a61
                                                                                                    • Instruction ID: e0b3c1672a1a1f873137c233ceefe3970f92abb921a2683ccb9854feca1ebe8f
                                                                                                    • Opcode Fuzzy Hash: 816a2cda1bd4b63b62d786004809b83c32802a405b8a1b7a6155819de5b79a61
                                                                                                    • Instruction Fuzzy Hash: 1571E574E00218DFCB48DFA9D894A9EBBF2FF88304F218429D506AB754DB709946CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF67CA Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 210 2df67ca-2df67cb 211 2df67cd-2df67d0 210->211 212 2df6835-2df685a 210->212 211->212 213 2df685c 212->213 214 2df6861-2df686f 212->214 213->214 215 2df6885 214->215 216 2df6871-2df6883 214->216 217 2df6888 215->217 216->217 218 2df688b 217->218 219 2df6892-2df68ae 218->219 220 2df68b7-2df68b8 219->220 221 2df68b0 219->221 224 2df68bd 220->224 229 2df6aa4 220->229 221->218 222 2df699f-2df69ae 221->222 223 2df696d-2df6970 221->223 221->224 225 2df68db-2df68e7 221->225 226 2df6a28-2df6a39 221->226 227 2df6947-2df6968 221->227 228 2df6a65-2df6a71 221->228 221->229 230 2df69b3-2df69cc 221->230 231 2df69d1-2df6a23 221->231 232 2df6910-2df6914 221->232 222->219 236 2df6978-2df6981 223->236 237 2df68c7-2df68d9 224->237 248 2df68fa-2df6901 225->248 249 2df68e9-2df68f8 225->249 246 2df6a4c-2df6a53 226->246 247 2df6a3b-2df6a4a 226->247 227->219 250 2df6a84-2df6a8b 228->250 251 2df6a73-2df6a82 228->251 235 2df6aae-2df6aaf 229->235 230->219 231->219 233 2df6927-2df692e 232->233 234 2df6916-2df6925 232->234 243 2df6935-2df6942 233->243 234->243 252 2df6988-2df699a 236->252 237->219 243->219 253 2df6a5a-2df6a60 246->253 247->253 254 2df6908-2df690e 248->254 249->254 255 2df6a92-2df6a9f 250->255 251->255 252->219 253->219 254->219 255->219
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: xPl$xPl
                                                                                                    • API String ID: 0-2545977913
                                                                                                    • Opcode ID: eedb3eb8fad27889f9135f781d460be82cdc8415caf2270888aaf9848cf2aca0
                                                                                                    • Instruction ID: 0abf573a44db40119c52eade5d279af8f3707bf86427a88420c37d075324a1a6
                                                                                                    • Opcode Fuzzy Hash: eedb3eb8fad27889f9135f781d460be82cdc8415caf2270888aaf9848cf2aca0
                                                                                                    • Instruction Fuzzy Hash: 9D614A70E15219DBDB88CFA4C541AEEBBB5FF89204F11882EC522A7794D734EA41CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84DB27 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 259 d84db27-d84db5a 260 d84db61-d84db71 259->260 261 d84db5c 259->261 262 d84db72 260->262 261->260 263 d84db79-d84db95 262->263 264 d84db97 263->264 265 d84db9e-d84db9f 263->265 264->262 264->265 266 d84dc44-d84dc57 264->266 267 d84dba4 264->267 268 d84dc74 264->268 269 d84dd07-d84dd0c 264->269 270 d84dbf0 264->270 271 d84dbc1-d84dbee 264->271 272 d84dcd2-d84dd02 264->272 273 d84dca3-d84dcb6 264->273 274 d84dc5c-d84dc5d 264->274 275 d84dcb8-d84dcd0 264->275 265->274 266->263 296 d84dba7 call d84dd48 267->296 297 d84dba7 call d84dd58 267->297 276 d84dc7b-d84dc97 268->276 277 d84dd0e-d84dd16 269->277 292 d84dbf0 call d84e9e5 270->292 293 d84dbf0 call d84e3a0 270->293 294 d84dbf0 call d84e641 270->294 295 d84dbf0 call d84e38f 270->295 271->263 272->276 273->276 274->268 274->277 275->276 283 d84dca0-d84dca1 276->283 284 d84dc99 276->284 279 d84dbf6-d84dc23 291 d84dc2c-d84dc3f 279->291 282 d84dbad-d84dbbf 282->263 283->269 283->273 284->268 284->269 284->272 284->273 284->275 291->263 292->279 293->279 294->279 295->279 296->282 297->282
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: okf1$X)
                                                                                                    • API String ID: 0-2044481213
                                                                                                    • Opcode ID: ca17a16ddfaf50c53f0928f2de0af90a30459f46860e3fd07ead614b82bedae5
                                                                                                    • Instruction ID: 8d611efc96114a512a7b43469ce056ea725b2620f25c668f86a6c1bf00f5bef6
                                                                                                    • Opcode Fuzzy Hash: ca17a16ddfaf50c53f0928f2de0af90a30459f46860e3fd07ead614b82bedae5
                                                                                                    • Instruction Fuzzy Hash: 99510474E152089FCB09CFA5E9856EDBBB6FF89314F14942AE406FB254DB3499018B18
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF0007 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 315 2df0007-2df0063 316 2df006a-2df00c4 315->316 317 2df0065 315->317 320 2df00c7 316->320 317->316 321 2df00ce-2df00ea 320->321 322 2df00ec 321->322 323 2df00f3-2df00f4 321->323 322->320 322->323 324 2df013b-2df0147 322->324 325 2df00f9-2df0139 322->325 326 2df0216-2df022b 322->326 327 2df0184-2df01ae 322->327 328 2df01b3-2df01b7 322->328 329 2df01e3-2df0211 322->329 330 2df0230-2df0265 322->330 323->330 333 2df014d-2df0159 call 2df0799 324->333 325->321 326->321 327->321 331 2df01ca-2df01d1 328->331 332 2df01b9-2df01c8 328->332 329->321 344 2df026b-2df02a0 330->344 336 2df01d8-2df01de 331->336 332->336 341 2df015f-2df017f 333->341 336->321 341->321 346 2df02a2 call 2df152f 344->346 347 2df02a2 call 2df1ddd 344->347 348 2df02a2 call 2df1b25 344->348 349 2df02a2 call 2df1b54 344->349 350 2df02a2 call 2df11d0 344->350 345 2df02a8-2df02b2 346->345 347->345 348->345 349->345 350->345
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \?]"
                                                                                                    • API String ID: 0-1440591702
                                                                                                    • Opcode ID: b3287979545566849675bc72b02e9bab5247b07d02058759a8b042fff7f5c154
                                                                                                    • Instruction ID: 53ab4283af7550d4d1da3465a344d816b502dbc3f47e684ae72e6c8ca41fa5f2
                                                                                                    • Opcode Fuzzy Hash: b3287979545566849675bc72b02e9bab5247b07d02058759a8b042fff7f5c154
                                                                                                    • Instruction Fuzzy Hash: 60912374E052488FCB49CFA9C8946DDFBB2EF89300F24806AD505BB369D7349806CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF0040 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 352 2df0040-2df0063 353 2df006a-2df00c4 352->353 354 2df0065 352->354 357 2df00c7 353->357 354->353 358 2df00ce-2df00ea 357->358 359 2df00ec 358->359 360 2df00f3-2df00f4 358->360 359->357 359->360 361 2df013b-2df0159 call 2df0799 359->361 362 2df00f9-2df0139 359->362 363 2df0216-2df022b 359->363 364 2df0184-2df01ae 359->364 365 2df01b3-2df01b7 359->365 366 2df01e3-2df0211 359->366 367 2df0230-2df02a0 359->367 360->367 378 2df015f-2df017f 361->378 362->358 363->358 364->358 368 2df01ca-2df01d1 365->368 369 2df01b9-2df01c8 365->369 366->358 383 2df02a2 call 2df152f 367->383 384 2df02a2 call 2df1ddd 367->384 385 2df02a2 call 2df1b25 367->385 386 2df02a2 call 2df1b54 367->386 387 2df02a2 call 2df11d0 367->387 373 2df01d8-2df01de 368->373 369->373 373->358 378->358 382 2df02a8-2df02b2 383->382 384->382 385->382 386->382 387->382
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \?]"
                                                                                                    • API String ID: 0-1440591702
                                                                                                    • Opcode ID: 4b0b18e653c96c2fe6437d5b15a5fd5f4fbae6e00b3b4f4d5ad00c071a432187
                                                                                                    • Instruction ID: edd5d4cd02e23d4d48eb541df25ec645ec67c62ec5e1c1db8d2073ca3eb2f4df
                                                                                                    • Opcode Fuzzy Hash: 4b0b18e653c96c2fe6437d5b15a5fd5f4fbae6e00b3b4f4d5ad00c071a432187
                                                                                                    • Instruction Fuzzy Hash: 2B81C274E012098FDB48CFA9C8446EEFBB2EF88301F20842AD519BB359D7749946CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF11D0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 389 2df11d0-2df11dc 390 2df11de-2df1212 389->390 391 2df123c-2df127e 389->391 392 2df1219-2df123b 390->392 393 2df1214 390->393 394 2df128a 391->394 392->391 393->392 395 2df1291-2df12ad 394->395 396 2df12af-2df12c8 395->396 397 2df12b6-2df1fca 395->397 400 2df12ca-2df12df 396->400 401 2df12e1-2df12eb 396->401 402 2df12f5-2df1305 400->402 401->402 402->395
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: &xP
                                                                                                    • API String ID: 0-2601687342
                                                                                                    • Opcode ID: edfd1263514bbb82e4e4c2d4821fcb942a110050ef3a9cb2e042d5aebfacc34c
                                                                                                    • Instruction ID: 86a15873b618b43003db22e689f053fb6f7546d5261228c8b0664df964f74d48
                                                                                                    • Opcode Fuzzy Hash: edfd1263514bbb82e4e4c2d4821fcb942a110050ef3a9cb2e042d5aebfacc34c
                                                                                                    • Instruction Fuzzy Hash: B1311871E046588BDB18CFAAD9453DEBBB2AF89304F15C06AD908AA254DB341946CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84ED00 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cc089f6917164e6afc96676fb85b8607c12545412552a23a0beb77bca9fc2e3c
                                                                                                    • Instruction ID: f59025caca4e831db0e1c8e280ad6efacbfc765c119cc85d15e042b85576229e
                                                                                                    • Opcode Fuzzy Hash: cc089f6917164e6afc96676fb85b8607c12545412552a23a0beb77bca9fc2e3c
                                                                                                    • Instruction Fuzzy Hash: CA610474E0120DDFCB05CFA9C544AAEBBB2BF89304F20C52AE415AB364DB349A45CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF0799 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6fa9664c359cad008f57593ad319c7c9120b9cf6fcf2a86973ec27601fdf106b
                                                                                                    • Instruction ID: 08a33fca523c777266a4915603e6aeafd8e796138bf993e0984aecabce73adbf
                                                                                                    • Opcode Fuzzy Hash: 6fa9664c359cad008f57593ad319c7c9120b9cf6fcf2a86973ec27601fdf106b
                                                                                                    • Instruction Fuzzy Hash: 83518E70E05219CFCB48CFAAC4445AEFBF2EF89201F15D46AD555AB356D7348A01CF98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84ECF0 Relevance: .2, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7cbf55c6ab44fba7f9c110fed73fdf800824c8f33ed57755a9ce9c79f90852f7
                                                                                                    • Instruction ID: 3feb0388356f4cc9e86e29e6a2682319274a509f898f7533632bf6028b3d9170
                                                                                                    • Opcode Fuzzy Hash: 7cbf55c6ab44fba7f9c110fed73fdf800824c8f33ed57755a9ce9c79f90852f7
                                                                                                    • Instruction Fuzzy Hash: 6861D374E01209DFCB09CFA9D585AAEFBB2BF89304F24C42AE415A7364DB349A45CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84E3A0 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e5e2f9c40dff9faeb77247ac76ed7e3d0644bc9c56cdd308d81dab1d03d6539
                                                                                                    • Instruction ID: 6435e7abe70249d6d2e8bb9675837a4d3d47eac27153b870f8ae49d9599b9307
                                                                                                    • Opcode Fuzzy Hash: 5e5e2f9c40dff9faeb77247ac76ed7e3d0644bc9c56cdd308d81dab1d03d6539
                                                                                                    • Instruction Fuzzy Hash: A22180B5E006188BEB58CFABC94429EFAF7BFC8304F14C46AD918A7214EB7456468F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF4790 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f49fbddf6a07d69cb4e6c0b9f669613db6c8cc077f6880f5c1dbc240691f761a
                                                                                                    • Instruction ID: 6dc89509889ac3e08c52ab492a62cc73170905cc829ab35cff4ffe228d76f1f6
                                                                                                    • Opcode Fuzzy Hash: f49fbddf6a07d69cb4e6c0b9f669613db6c8cc077f6880f5c1dbc240691f761a
                                                                                                    • Instruction Fuzzy Hash: 6E21AA71E056188BEB58DF6BD84069EFAF7ABC8200F05C57AC508A6254DB301956CF55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84E38F Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 953e416a129446bac05e5d21703312b0b94a44e3021eeda7e0203f74cf9b3110
                                                                                                    • Instruction ID: 07e02fd1a0801c647ae28102a2781e8cfa068c685268f3c0d8a76b5064d5e7dd
                                                                                                    • Opcode Fuzzy Hash: 953e416a129446bac05e5d21703312b0b94a44e3021eeda7e0203f74cf9b3110
                                                                                                    • Instruction Fuzzy Hash: DE21B3B5E006188BEB58CFABC94439EFAF3BFC8300F18C46AD808A7215EB3455468F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84E2D8 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 298 d84e2d8-d84e32a 301 d84e332-d84e35d DeleteFileW 298->301 302 d84e32c-d84e32f 298->302 303 d84e366-d84e38e 301->303 304 d84e35f-d84e365 301->304 302->301 304->303
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 0D84E350
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 5f440d92837eb3041492eb856a34035d313bb6e1c1128922eb7896645434964f
                                                                                                    • Instruction ID: c2d7b0570de959758e23be4922148d41527f6ca70eaee0f7274ba2eefc2439d1
                                                                                                    • Opcode Fuzzy Hash: 5f440d92837eb3041492eb856a34035d313bb6e1c1128922eb7896645434964f
                                                                                                    • Instruction Fuzzy Hash: AC2147B5C0061A8BCB10CF9AC4447DEFBB4BB48720F05812AE818B7640D738A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84E2E0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 307 d84e2e0-d84e32a 309 d84e332-d84e35d DeleteFileW 307->309 310 d84e32c-d84e32f 307->310 311 d84e366-d84e38e 309->311 312 d84e35f-d84e365 309->312 310->309 312->311
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 0D84E350
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: cad24b21b916eee3ec849d86b74813c4734aa992129f955573ae05c8200e91de
                                                                                                    • Instruction ID: d6868d6aa5c8da5ceff086c70bfa462f98f740d7b7109cc59d5825aa8b6feca8
                                                                                                    • Opcode Fuzzy Hash: cad24b21b916eee3ec849d86b74813c4734aa992129f955573ae05c8200e91de
                                                                                                    • Instruction Fuzzy Hash: E71106B5C0061A9BCB14CF9AC444BEEFBB4BF48724F15812AE819B7740D738A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED3DC Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aeb7445d833ca73ac647eb9e77d017c2c539bbf9c6318bd9e5d6ac64624bcb0d
                                                                                                    • Instruction ID: bde54c81e68c2b8e35bc8ca87f03c186acdca620316b15250844df0458b02ed0
                                                                                                    • Opcode Fuzzy Hash: aeb7445d833ca73ac647eb9e77d017c2c539bbf9c6318bd9e5d6ac64624bcb0d
                                                                                                    • Instruction Fuzzy Hash: 50213D72504284DFCB04DF10D9C0F16BB66FBA8324F24C56DE9054B696C336E846D7A2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED4C8 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 44e339929160e52a0cc48added87b92dcff0c35d483333cacd06dd9e6dd42b80
                                                                                                    • Instruction ID: 731ee576630d447a7d3981d5e87a77d301b7beeac58063b06df3ccfadd834453
                                                                                                    • Opcode Fuzzy Hash: 44e339929160e52a0cc48added87b92dcff0c35d483333cacd06dd9e6dd42b80
                                                                                                    • Instruction Fuzzy Hash: E3216AB2904384DFCB15CF10D9C0F26BF65FB98328F28856DE9090B656C336D846EBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FFD1E8 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448438523.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ffd000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 314fa06a1d239b70f17c4f7c0a18d720cf4ffaacc0540ba170281c490af72f02
                                                                                                    • Instruction ID: 622399712e0d3be7e8bbc3964385d3ecc47f6a9fb8bf845069771165e81a6ad9
                                                                                                    • Opcode Fuzzy Hash: 314fa06a1d239b70f17c4f7c0a18d720cf4ffaacc0540ba170281c490af72f02
                                                                                                    • Instruction Fuzzy Hash: E821B6B1504248DFDB05CF50D5C4B25BB66FF84324F24C56DDA094B266C376D846DBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FFD030 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448438523.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ffd000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 25b66d5ada457c2c1c63b034fb41723bb5cd602806fe4f59266a4b51dd33ea64
                                                                                                    • Instruction ID: 7c9c3c325e84c67432e52c8fbe3dd41e57f143b763e6352ee1a7d499dd52ff12
                                                                                                    • Opcode Fuzzy Hash: 25b66d5ada457c2c1c63b034fb41723bb5cd602806fe4f59266a4b51dd33ea64
                                                                                                    • Instruction Fuzzy Hash: 8D21D672508248DFDB14DF10D9C4B26BB66FF84324F24C56DDA094B26ACB36D846DB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FFD005 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448438523.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ffd000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a4ea957731965e09812f5e9192bd9adec2aa579e436ee2fb17b761a0b15411f2
                                                                                                    • Instruction ID: 5329d46a340fc8d17a3ee09d6216d8562b78da876c9f6557053c5450c6bd2918
                                                                                                    • Opcode Fuzzy Hash: a4ea957731965e09812f5e9192bd9adec2aa579e436ee2fb17b761a0b15411f2
                                                                                                    • Instruction Fuzzy Hash: FC217C7550D3C48FDB038B20C890B11BF71AF46214F2981DBD9888F2A7C23A980ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED3D7 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction ID: b961d5b78bade35b864bc1a401294936d127d56150ec04b76f23f732d08def4d
                                                                                                    • Opcode Fuzzy Hash: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction Fuzzy Hash: A411E676804280DFCF05CF10D5C4B16BF72FB94324F28C6A9D8450BA56C33AE856DBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED4C3 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction ID: 658a1fc46bfd92396435f2baa60888d877d8312040771413a8088b1db09745ea
                                                                                                    • Opcode Fuzzy Hash: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction Fuzzy Hash: A211B176804280CFCB15CF10D9C4B16BF71FB98324F2886A9D8090B61AC336D856DBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FFD1E3 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448438523.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ffd000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50eb2c3a52440a91dc116737e4d910fd79c16869f8b8fc563e5ae3e56bb24798
                                                                                                    • Instruction ID: f67d2c7f6584b1a71f6ab4783d66a8bf84646459d52aa1e05b0d2bc249da3122
                                                                                                    • Opcode Fuzzy Hash: 50eb2c3a52440a91dc116737e4d910fd79c16869f8b8fc563e5ae3e56bb24798
                                                                                                    • Instruction Fuzzy Hash: E3118E75904284DFCB01CF10D5C4B25BB62FB44324F28C6AAD9494B666C33AD84ADBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED849 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cc2292b85028f0fa27c6af62a6a7c4a1e65b129265d9412d834fc044694006fa
                                                                                                    • Instruction ID: fa50ed55405d8070fb7082926e0d722d32ffac27102e961b412638a953ec2e3a
                                                                                                    • Opcode Fuzzy Hash: cc2292b85028f0fa27c6af62a6a7c4a1e65b129265d9412d834fc044694006fa
                                                                                                    • Instruction Fuzzy Hash: C1012B729093809BE7209A17CCC4B66BB98EF45378F18C55AED085B646C374DD44D6B1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00FED848 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448351447.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_fed000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2eb792318201854224b3819cb8458e9d2f5dcdffa35a3cf2f87e0798a7d462b7
                                                                                                    • Instruction ID: ac3c84b6a5d2b78319421b662bb6e95885b386cf67a9addbb9f98efefb1d922a
                                                                                                    • Opcode Fuzzy Hash: 2eb792318201854224b3819cb8458e9d2f5dcdffa35a3cf2f87e0798a7d462b7
                                                                                                    • Instruction Fuzzy Hash: AAF0C2718052849AEB248A06CC84B62FFA8EB52774F18C55AED085B686C3789C44CAB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 0D84D408 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: cu4
                                                                                                    • API String ID: 0-305270025
                                                                                                    • Opcode ID: e9ad75f70fd1a5436c458d395a79ede50bd87c3a46ecbb39c42032334646ce4f
                                                                                                    • Instruction ID: f39bc8b4ec885fa2aab6d32060c7e14a65fb641ea8609bc46299fcf659d0aaf5
                                                                                                    • Opcode Fuzzy Hash: e9ad75f70fd1a5436c458d395a79ede50bd87c3a46ecbb39c42032334646ce4f
                                                                                                    • Instruction Fuzzy Hash: D5C1F474E1521DCFCB14CFA9D980AAEBBB2BF89214F10C5A9E509EB361DB309941CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84D3F9 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: cu4
                                                                                                    • API String ID: 0-305270025
                                                                                                    • Opcode ID: f9767c0cc744988709d2fc8bb75023b2c9f631a7d4a9946e4b113ab71d9c2952
                                                                                                    • Instruction ID: 7cd7d2dc7fe90b15746b729435c21255e72d7da87f08d5102f10550076b22713
                                                                                                    • Opcode Fuzzy Hash: f9767c0cc744988709d2fc8bb75023b2c9f631a7d4a9946e4b113ab71d9c2952
                                                                                                    • Instruction Fuzzy Hash: 4BB11674E15219CFCB14CFA9D980BAEB7B2BF89214F10C5AAE509EB351DB30A941CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF2E98 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: {,]
                                                                                                    • API String ID: 0-3739187655
                                                                                                    • Opcode ID: c0d4fcc4185c728806a98c519a3c09f82c63f682981da5ebb8ea6f3399e7a212
                                                                                                    • Instruction ID: ca897e336c862f40109f6031e5dacfeae4ee04eab371e7711da1820b8047eaf6
                                                                                                    • Opcode Fuzzy Hash: c0d4fcc4185c728806a98c519a3c09f82c63f682981da5ebb8ea6f3399e7a212
                                                                                                    • Instruction Fuzzy Hash: C481DF74E15209CFCB44CFA9C5849AEBBF1FF88310F25956AE915AB324D330AA42CF55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF2E88 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: {,]
                                                                                                    • API String ID: 0-3739187655
                                                                                                    • Opcode ID: 63f4af06e9950f167a06a4d3c14d54031055bbd832c107cd17f1ce789a121487
                                                                                                    • Instruction ID: 6109e8ae3cb301a4eb0f6158c6950e87754bd17beb2cff5639e8dba887263354
                                                                                                    • Opcode Fuzzy Hash: 63f4af06e9950f167a06a4d3c14d54031055bbd832c107cd17f1ce789a121487
                                                                                                    • Instruction Fuzzy Hash: 7B81FF74E14249CFCB84CFA9C98499EBBF1FF89310F25856AD815AB364D330AE42CB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D844F28 Relevance: .3, Instructions: 320COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c4d26498381097734d9329311a350609bae046573be2c4309f0586aea5ee7390
                                                                                                    • Instruction ID: 11c74a550583d59f6bb129b5645a9e0e7caf79aeeffea1c62298c9c9d8364ff8
                                                                                                    • Opcode Fuzzy Hash: c4d26498381097734d9329311a350609bae046573be2c4309f0586aea5ee7390
                                                                                                    • Instruction Fuzzy Hash: 20A19D70B041185FDB19A77488507BF32E79FC9608F19883CD20ADBB94DF389D069BA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF61A0 Relevance: .2, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ca551708e877dad6066c978348e6c573bccaedb9f4e912593aede9f7b62ec42
                                                                                                    • Instruction ID: eefb6d56f962c30657dfd1fa242f855b95c64bf9c250769a19abe07650bb5f2d
                                                                                                    • Opcode Fuzzy Hash: 8ca551708e877dad6066c978348e6c573bccaedb9f4e912593aede9f7b62ec42
                                                                                                    • Instruction Fuzzy Hash: 6E913774E04119CBCB14DFA9D9805AEFBF2BF89204F25C5A9D518A770AD7309E42CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DFB600 Relevance: .2, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 697cf05ec3adbbb188fe9027ca8a1e98a6edebdfe0ec8d4fa5d38213e0afab99
                                                                                                    • Instruction ID: 4572e32eaa2b064d1c35731201c8f9b21bbe49a5c867241456b9697555ef464a
                                                                                                    • Opcode Fuzzy Hash: 697cf05ec3adbbb188fe9027ca8a1e98a6edebdfe0ec8d4fa5d38213e0afab99
                                                                                                    • Instruction Fuzzy Hash: 28912C70E04319CBDB54DF66C9446DEBBB2AF89304F11C4AAD649AB354DB349E81CF05
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF5580 Relevance: .2, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4498c7bf9f709faa4080d2c2e6704a700accab3f6438f1ae4b33e6994be426d4
                                                                                                    • Instruction ID: 4861846c29bc97ad7d5f898ccce3d491bc1740ca3c5fc8417cfa7d841da2d35b
                                                                                                    • Opcode Fuzzy Hash: 4498c7bf9f709faa4080d2c2e6704a700accab3f6438f1ae4b33e6994be426d4
                                                                                                    • Instruction Fuzzy Hash: F0916770E04219CFCB54CFA9D980AAEFBF2BF89204F2585A9D518AB355D7309E41CF61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF564F Relevance: .2, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 49826c09f18c7bb8963c4a68fa3710a88c68fce15e0514544d6cbe74ca342bfa
                                                                                                    • Instruction ID: 312c5bdb5218da06bfc6e39af7e8f3deacbc9aa2633d9c560a55c6f7e2244f16
                                                                                                    • Opcode Fuzzy Hash: 49826c09f18c7bb8963c4a68fa3710a88c68fce15e0514544d6cbe74ca342bfa
                                                                                                    • Instruction Fuzzy Hash: A8914A74E04119CFCB54DFA8E980AADFBF2BB89304F2585A9E519A7345C7309E42CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF61F3 Relevance: .2, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b36a46db4fcd59db802f4152c920d5202ac5136d3b78489f17bb977a0fd5935
                                                                                                    • Instruction ID: 3738cddb2b6d6ae0fda10ed6c334b8d84221084a4f0cbc7db32df8f3286902f0
                                                                                                    • Opcode Fuzzy Hash: 3b36a46db4fcd59db802f4152c920d5202ac5136d3b78489f17bb977a0fd5935
                                                                                                    • Instruction Fuzzy Hash: CB815A74E041198FCB54DF69CA809AEFBF2BF89204F25C569D418A735AD7309D42CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF42C8 Relevance: .2, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84686e529d00858de62f2c7a995748b60e897cf0b42e56b04fb2f46209d890cd
                                                                                                    • Instruction ID: 976d29281d0c4e51261a2cf69f85969ecef380c89dc725c6602a7c6c2bb79f40
                                                                                                    • Opcode Fuzzy Hash: 84686e529d00858de62f2c7a995748b60e897cf0b42e56b04fb2f46209d890cd
                                                                                                    • Instruction Fuzzy Hash: DA710374E15209CFCB44CFAAD9804DEFBF2BF89210F65A42ADA45B7314D7349A01CB68
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF42B8 Relevance: .2, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f176654cb7bb23fcd56e523b4d82c8f15b23937d43decd768ee04c2e8f63d984
                                                                                                    • Instruction ID: 3185393096de27a08242a017c021298bb038d28f721f1f5ee21e49d06da77f26
                                                                                                    • Opcode Fuzzy Hash: f176654cb7bb23fcd56e523b4d82c8f15b23937d43decd768ee04c2e8f63d984
                                                                                                    • Instruction Fuzzy Hash: 01710474E152098FCB44CFA9D9804DEFBF2AF89210F29A46AD645B7314D7349A41CB68
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84F060 Relevance: .2, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9bd03aaaf32afc743d363a2c001b1b56248c5d68bcd9f263d88368397a3ff01c
                                                                                                    • Instruction ID: df6745249b222610b36d660c77a6012729de8e41f825f6ec330239bc531564e5
                                                                                                    • Opcode Fuzzy Hash: 9bd03aaaf32afc743d363a2c001b1b56248c5d68bcd9f263d88368397a3ff01c
                                                                                                    • Instruction Fuzzy Hash: E771E474E0524D9FCB08CFAAD8859AEBBB2FF89304F20D42AD505AB354D7349942CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84F050 Relevance: .2, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fa08969a5e229e6b6aa9164a4419e3f7fe90782834c9027d7867a5ff1f815659
                                                                                                    • Instruction ID: 37ed94a71acc972ec902430095e9f9ee442ed28be1b9c226a8a0363e18e03d67
                                                                                                    • Opcode Fuzzy Hash: fa08969a5e229e6b6aa9164a4419e3f7fe90782834c9027d7867a5ff1f815659
                                                                                                    • Instruction Fuzzy Hash: 2F71E474E052498FCB08CFAAD8859AEBBF2FF89304F20D42AD505AB354D7349942CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF3D43 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 16cba2bc6a48082d123de403fa472b8ee3f47638cfbde05dc1a3ac0c9bfa7548
                                                                                                    • Instruction ID: 23bbca9505e4b9bdee3ba9e441707560b47eeb7f19528e5dfc9ce5744cda944a
                                                                                                    • Opcode Fuzzy Hash: 16cba2bc6a48082d123de403fa472b8ee3f47638cfbde05dc1a3ac0c9bfa7548
                                                                                                    • Instruction Fuzzy Hash: D76159B1D0524ADBCB84CFAAD8805AEFBB1EF49344F16845AD550B7354D3349A42CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0D84C710 Relevance: .2, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.464628430.000000000D840000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_d840000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de117ef089f0b3ee47bbf432b00140f1478d89f51e6ff5d3104f5374bf936450
                                                                                                    • Instruction ID: e387198aaf76f08ebc09b59989b5cbdfc9df02d20f74066600fa40dd0e47d703
                                                                                                    • Opcode Fuzzy Hash: de117ef089f0b3ee47bbf432b00140f1478d89f51e6ff5d3104f5374bf936450
                                                                                                    • Instruction Fuzzy Hash: 53518EB0E1511D9BDB14CFAAD980AAEFBF6BF89204F24C56AD408E7345D7309A41CF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF4578 Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c545ac03c21dd18b8eadac15cb38a29685f48a04bfed25b2ed7b361e0ac7984c
                                                                                                    • Instruction ID: fdf7b5731936a650c0e0e3199b1955bf32e1aa31de478bdc4ed4f896c6528062
                                                                                                    • Opcode Fuzzy Hash: c545ac03c21dd18b8eadac15cb38a29685f48a04bfed25b2ed7b361e0ac7984c
                                                                                                    • Instruction Fuzzy Hash: 54512AB0E0524ADBCB44CFA9C5815AEFBF2BF88300F24D56AC605BB714D7309A41CB98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF456B Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b75ee509e6a87d2168986809caf435eecb226c7e8da28071ee4b2761f413504a
                                                                                                    • Instruction ID: b5f5a991ffddf56c7bb45ff518464513ef044f70e3425966ae004c6348edf44a
                                                                                                    • Opcode Fuzzy Hash: b75ee509e6a87d2168986809caf435eecb226c7e8da28071ee4b2761f413504a
                                                                                                    • Instruction Fuzzy Hash: B85117B0E0524ADBCB44CFA9C5815AEFBF2EF89300F25D56AC605BB714D7349A41CB98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF45AB Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 28410ac30d0537b266f732696cd3ce850850e5ab3b61ca16714b6f90878a1cbf
                                                                                                    • Instruction ID: 4f009cb882d68108b36d9f8a898e42a3a29e86d088af80f8a09e8c37065cd72e
                                                                                                    • Opcode Fuzzy Hash: 28410ac30d0537b266f732696cd3ce850850e5ab3b61ca16714b6f90878a1cbf
                                                                                                    • Instruction Fuzzy Hash: 554105B1E0524ADBCB44CFA5C5815AFFBB2FF89300F25996AC605BB714D3349A41CB98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF40D8 Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18a3c31ed76b86f3865f99eadf242af916006d9a51ce9bde7f3e51b93c8b9240
                                                                                                    • Instruction ID: fb1fe52d0cac0c147744b84b754db89311444b73a4537bcf13aad198f1a597a9
                                                                                                    • Opcode Fuzzy Hash: 18a3c31ed76b86f3865f99eadf242af916006d9a51ce9bde7f3e51b93c8b9240
                                                                                                    • Instruction Fuzzy Hash: 8F41C570E0420A9BDB44CFAAD5805AEFBF2AF99300F14D46AC615B7354E7349A41CF98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF40CB Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cfe4572ab9b67f7ed1a52057a915e1fc928336c99df0e668836ea57dd52ca3e2
                                                                                                    • Instruction ID: f274e80c0fc4d9bd57e3f707d6d64edab8f981e8c33e391761d502e4de7e2ef2
                                                                                                    • Opcode Fuzzy Hash: cfe4572ab9b67f7ed1a52057a915e1fc928336c99df0e668836ea57dd52ca3e2
                                                                                                    • Instruction Fuzzy Hash: 6B41E470E0460A8BDB44CFAAD9805AEFBF2AF99300F24D46AC615B7354E7349A42CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02DF4780 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.450309934.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2df0000_D6GEVBNNH11111.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 57ad16cba3d4ad424ad4dde8818fdbdd7a36a01b0682f9dc7f67c6b57d682181
                                                                                                    • Instruction ID: 90a64cf00825eabc68d89aa788fa758792edb5cf841f26232d07b66a02e3ea63
                                                                                                    • Opcode Fuzzy Hash: 57ad16cba3d4ad424ad4dde8818fdbdd7a36a01b0682f9dc7f67c6b57d682181
                                                                                                    • Instruction Fuzzy Hash: 19210D71E056588BEB49CFABD80469EFBF3AFC9200F09C1BAC508A6254EB340946CF11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:14.1%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:3.1%
                                                                                                    Total number of Nodes:98
                                                                                                    Total number of Limit Nodes:16
                                                                                                    execution_graph 27845 651e560 27847 651e587 27845->27847 27846 651e5cf 27847->27846 27850 65e0006 27847->27850 27862 65e0040 27847->27862 27851 65e0016 27850->27851 27852 65e04a4 27851->27852 27874 65e2658 27851->27874 27879 65e28da 27851->27879 27884 65e264a 27851->27884 27889 65e26ef 27851->27889 27894 65e2781 27851->27894 27899 65e28a3 27851->27899 27904 65e2815 27851->27904 27909 65e28f4 27851->27909 27914 65e2728 27851->27914 27852->27847 27863 65e0073 27862->27863 27864 65e04a4 27863->27864 27865 65e26ef 2 API calls 27863->27865 27866 65e264a 2 API calls 27863->27866 27867 65e28da 2 API calls 27863->27867 27868 65e2658 2 API calls 27863->27868 27869 65e2728 2 API calls 27863->27869 27870 65e28f4 2 API calls 27863->27870 27871 65e2815 2 API calls 27863->27871 27872 65e28a3 2 API calls 27863->27872 27873 65e2781 2 API calls 27863->27873 27864->27847 27865->27863 27866->27863 27867->27863 27868->27863 27869->27863 27870->27863 27871->27863 27872->27863 27873->27863 27875 65e2666 27874->27875 27876 65e266d 27874->27876 27875->27851 27876->27875 27919 65e4e34 27876->27919 27923 65e4e40 27876->27923 27881 65e28e4 27879->27881 27880 65e28ec 27880->27851 27881->27880 27882 65e4e34 CreateProcessAsUserW 27881->27882 27883 65e4e40 CreateProcessAsUserW 27881->27883 27882->27881 27883->27881 27885 65e2666 27884->27885 27886 65e266d 27884->27886 27885->27851 27886->27885 27887 65e4e34 CreateProcessAsUserW 27886->27887 27888 65e4e40 CreateProcessAsUserW 27886->27888 27887->27886 27888->27886 27890 65e2714 27889->27890 27891 65e2723 27890->27891 27892 65e4e34 CreateProcessAsUserW 27890->27892 27893 65e4e40 CreateProcessAsUserW 27890->27893 27891->27851 27892->27890 27893->27890 27896 65e2792 27894->27896 27895 65e27b5 27895->27851 27896->27895 27897 65e4e34 CreateProcessAsUserW 27896->27897 27898 65e4e40 CreateProcessAsUserW 27896->27898 27897->27896 27898->27896 27901 65e28c8 27899->27901 27900 65e28d5 27900->27851 27901->27900 27902 65e4e34 CreateProcessAsUserW 27901->27902 27903 65e4e40 CreateProcessAsUserW 27901->27903 27902->27901 27903->27901 27905 65e2824 27904->27905 27906 65e2846 27905->27906 27907 65e4e34 CreateProcessAsUserW 27905->27907 27908 65e4e40 CreateProcessAsUserW 27905->27908 27906->27851 27907->27905 27908->27905 27911 65e2903 27909->27911 27910 65e2924 27910->27851 27911->27910 27912 65e4e34 CreateProcessAsUserW 27911->27912 27913 65e4e40 CreateProcessAsUserW 27911->27913 27912->27911 27913->27911 27916 65e2732 27914->27916 27915 65e273d 27915->27851 27916->27915 27917 65e4e34 CreateProcessAsUserW 27916->27917 27918 65e4e40 CreateProcessAsUserW 27916->27918 27917->27916 27918->27916 27920 65e4ebf CreateProcessAsUserW 27919->27920 27922 65e4fc0 27920->27922 27924 65e4ebf CreateProcessAsUserW 27923->27924 27926 65e4fc0 27924->27926 27927 65141a0 27928 65141e8 VirtualProtect 27927->27928 27929 6514222 27928->27929 27826 65e7ad8 27827 65e7b1d SetThreadContext 27826->27827 27829 65e7b65 27827->27829 27830 65e7358 27831 65e73a0 WriteProcessMemory 27830->27831 27833 65e73f7 27831->27833 27930 65e7fe8 27931 65e8173 27930->27931 27932 65e800e 27930->27932 27932->27931 27935 65e8268 PostMessageW 27932->27935 27937 65e8260 PostMessageW 27932->27937 27936 65e82d4 27935->27936 27936->27932 27938 65e82d4 27937->27938 27938->27932 27939 c19e2e0 27940 c19e326 DeleteFileW 27939->27940 27942 c19e35f 27940->27942 27834 65e7850 27835 65e7898 VirtualProtectEx 27834->27835 27837 65e78d6 27835->27837 27838 65e6910 27839 65e6955 GetThreadContext 27838->27839 27841 65e699d 27839->27841 27943 65e7d60 27944 65e7da0 ResumeThread 27943->27944 27946 65e7dd1 27944->27946 27947 65e6fe0 27948 65e7020 VirtualAllocEx 27947->27948 27950 65e705d 27948->27950

                                                                                                    Executed Functions

                                                                                                    Function 065E4E40 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 462 65e4e40-65e4ecb 464 65e4ecd-65e4ed3 462->464 465 65e4ed6-65e4edd 462->465 464->465 466 65e4edf-65e4ee5 465->466 467 65e4ee8-65e4f00 465->467 466->467 468 65e4f02-65e4f0e 467->468 469 65e4f11-65e4fbe CreateProcessAsUserW 467->469 468->469 471 65e4fc7-65e5046 469->471 472 65e4fc0-65e4fc6 469->472 479 65e5058-65e505f 471->479 480 65e5048-65e504e 471->480 472->471 481 65e5076 479->481 482 65e5061-65e5070 479->482 480->479 484 65e5077 481->484 482->481 484->484
                                                                                                    APIs
                                                                                                    • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 065E4FAB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcessUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2217836671-0
                                                                                                    • Opcode ID: 7d7fbb99e6258ba03f7a1bcd886bfbdc56fb9a76fdf163bb5536b86877f64adb
                                                                                                    • Instruction ID: 2442854abf94bb630312d39b95ebfaf6849e32a7fdb42e1d2ee2e28c2b949eb3
                                                                                                    • Opcode Fuzzy Hash: 7d7fbb99e6258ba03f7a1bcd886bfbdc56fb9a76fdf163bb5536b86877f64adb
                                                                                                    • Instruction Fuzzy Hash: 3F511571D002299FDF24CF59C840BDDBBB5BF88304F0584AAE919B7250DB75AA89CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E4E34 Relevance: 1.7, APIs: 1, Instructions: 172processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 439 65e4e34-65e4ecb 441 65e4ecd-65e4ed3 439->441 442 65e4ed6-65e4edd 439->442 441->442 443 65e4edf-65e4ee5 442->443 444 65e4ee8-65e4f00 442->444 443->444 445 65e4f02-65e4f0e 444->445 446 65e4f11-65e4fbe CreateProcessAsUserW 444->446 445->446 448 65e4fc7-65e5046 446->448 449 65e4fc0-65e4fc6 446->449 456 65e5058-65e505f 448->456 457 65e5048-65e504e 448->457 449->448 458 65e5076 456->458 459 65e5061-65e5070 456->459 457->456 461 65e5077 458->461 459->458 461->461
                                                                                                    APIs
                                                                                                    • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 065E4FAB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcessUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2217836671-0
                                                                                                    • Opcode ID: 1076dfc0ba1ec88d4c8d078a04f270746dab0894508eb3fe715518d798050abf
                                                                                                    • Instruction ID: 66dca0937d85d00510f94e8c7d1da5b77033a3a5516c2d72c1ede6e02c9aae21
                                                                                                    • Opcode Fuzzy Hash: 1076dfc0ba1ec88d4c8d078a04f270746dab0894508eb3fe715518d798050abf
                                                                                                    • Instruction Fuzzy Hash: A6510671D002299FDF24CF59C844BDDBBB5BF88304F0584AAE919B7250DB759A89CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06514173 Relevance: 1.6, APIs: 1, Instructions: 87memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 485 6514173-6514184 486 6514186-65141b8 485->486 487 65141ba-6514220 VirtualProtect 485->487 486->487 489 6514222-6514228 487->489 490 6514229-651424a 487->490 489->490
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 06514213
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680667318.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_6510000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: d83a7cb024edeed9138555ab1433276614fafe9493605dfb3d38a4551b7c6a0a
                                                                                                    • Instruction ID: 9e420efcccc3dad24505d7520b5e59deac8b3d5fb882489ccf49cac46d9cd7f4
                                                                                                    • Opcode Fuzzy Hash: d83a7cb024edeed9138555ab1433276614fafe9493605dfb3d38a4551b7c6a0a
                                                                                                    • Instruction Fuzzy Hash: 4B215AB59002099FDB14CF99D845BEFFBF9FB48320F04852AE818A7250D374A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7358 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 065E73E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: 6ea9b32cd1bb54bcd40b27ef527cb56043a8b981335a23cb606b1411b6f50e3b
                                                                                                    • Instruction ID: e9a3bf10c67349bac736fd34ea4247b8b3e420c8eda823f7520992e307eca04f
                                                                                                    • Opcode Fuzzy Hash: 6ea9b32cd1bb54bcd40b27ef527cb56043a8b981335a23cb606b1411b6f50e3b
                                                                                                    • Instruction Fuzzy Hash: BB2102719002199FCF44CFA9C884BEEBBF5FB88214F14842AE919A7240DB789945CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7351 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 065E73E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: c483b6fd9b212d20208f3d59e73cc74c4db82b1e9e7f96a31b7e1d303b86e649
                                                                                                    • Instruction ID: 0102e48824d30ffb0a6a049cdab450aaa5b3d60687723d054e7cfb8a647c2cbd
                                                                                                    • Opcode Fuzzy Hash: c483b6fd9b212d20208f3d59e73cc74c4db82b1e9e7f96a31b7e1d303b86e649
                                                                                                    • Instruction Fuzzy Hash: F62113759002199FCF44CFA9C884BEEBBF5FF88314F14842AE919A7250DB789955CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7AD0 Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 065E7B56
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: de0ec0a7da6e9a2efb16644ae192b81cbd4f8bb246f9d2f1d1dfe49207d07bfe
                                                                                                    • Instruction ID: 4bf8885720e38c6b17e106a35b50d1c4230fb59d66df1a82e0587a78f6edc879
                                                                                                    • Opcode Fuzzy Hash: de0ec0a7da6e9a2efb16644ae192b81cbd4f8bb246f9d2f1d1dfe49207d07bfe
                                                                                                    • Instruction Fuzzy Hash: 73215971D002099FDB54CFAAC484BEEBBF4FF88224F14842AD459A7640CB789945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7AD8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 065E7B56
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: 295f14bb1232ec715bb8317ad8297ead21ee4e2158007ac2e9df1ca4f5c29ebc
                                                                                                    • Instruction ID: 80375960b7b688354e0e21a0257b46447d9204eacdca0097c5a413bee9898d83
                                                                                                    • Opcode Fuzzy Hash: 295f14bb1232ec715bb8317ad8297ead21ee4e2158007ac2e9df1ca4f5c29ebc
                                                                                                    • Instruction Fuzzy Hash: D9213871D002098FDB14CFAAC4847EEBBF4EF88224F148429D559A7340DB78A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E6910 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 065E698E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: accde8e35f482a3620fc501bc17342784c3cd0b25d683a8a7d6f72630dc4dc9a
                                                                                                    • Instruction ID: 1fd442cf3f7bd6918c6c9c11437d5eafdca6cac9d6bd7dea4dfa7fcd26aca243
                                                                                                    • Opcode Fuzzy Hash: accde8e35f482a3620fc501bc17342784c3cd0b25d683a8a7d6f72630dc4dc9a
                                                                                                    • Instruction Fuzzy Hash: 2E213571D003098FDB14CFAAC4847EEBBF4EF98264F14842ED559A7240CB78A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7848 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 065E78C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: a6a8af59757b8f6f1cfedfc8ac74c59fe480204b465f695370a55b413933eba7
                                                                                                    • Instruction ID: 73e5c97044ebd89804943d0c26b4cfb028bb88318274ef91fa0886c033d06f97
                                                                                                    • Opcode Fuzzy Hash: a6a8af59757b8f6f1cfedfc8ac74c59fe480204b465f695370a55b413933eba7
                                                                                                    • Instruction Fuzzy Hash: 8A213871D002099FDB10CFAAC444BEEBBF4FF88324F04842AD569A7250C7789945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E6908 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 065E698E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: 3af6befffe79d2b0fb0938aa0626aef59088287a47dbe87ddcd2c313dd72e6ad
                                                                                                    • Instruction ID: f468d1fa7a5d6807b027cbf431bddd527953d70c5b199e6e9466ef5ab55f4994
                                                                                                    • Opcode Fuzzy Hash: 3af6befffe79d2b0fb0938aa0626aef59088287a47dbe87ddcd2c313dd72e6ad
                                                                                                    • Instruction Fuzzy Hash: C7215475D002098FDB04CFAAC4807EEBBF5AF88364F14842AD959A7240CB789945CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7850 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 065E78C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: 72d4bc9df1dde21dcd96fe68efa55a2067166651d089db12c1c8b13882126552
                                                                                                    • Instruction ID: e8fc84a36040da8c9384882bb478ed8d61bf576e9400ccdd26b9466849381386
                                                                                                    • Opcode Fuzzy Hash: 72d4bc9df1dde21dcd96fe68efa55a2067166651d089db12c1c8b13882126552
                                                                                                    • Instruction Fuzzy Hash: 85211571C042099FDB10CFAAC884BEEBBF5FF88324F15842AD529A7650C7789945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0C19E2D8 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 0C19E350
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.681850041.000000000C190000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C190000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_c190000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 908b273fab2056d163aadca7e56460cacb2959f916ec84d506e5d168259366f4
                                                                                                    • Instruction ID: f70cb692d6274df45091ec1475b3a5529ffa3baffb0f5749c6a0117a123ac3bd
                                                                                                    • Opcode Fuzzy Hash: 908b273fab2056d163aadca7e56460cacb2959f916ec84d506e5d168259366f4
                                                                                                    • Instruction Fuzzy Hash: AB2104B5C0061A9BCB10CF9AC445BDEFBB4FF49220F15812AD869A7740D738AA45CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E6FDA Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 065E704E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 31b36878436d630cff7fcf612b93817078f278f1aa1a5977b62f9b8791459272
                                                                                                    • Instruction ID: 0e84d3feae86883f067fc914833127c3eb4117bb6327ea6e6f459836d90bbb03
                                                                                                    • Opcode Fuzzy Hash: 31b36878436d630cff7fcf612b93817078f278f1aa1a5977b62f9b8791459272
                                                                                                    • Instruction Fuzzy Hash: F11144728002499FCF10CFAAC844BEEBBF5EF88324F148419E92AA7650C7759945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0C19E2E0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 0C19E350
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.681850041.000000000C190000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C190000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_c190000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 927a86265164c0535441894f2159f64a60a7eccd819ee530aedb8e2465de6c3a
                                                                                                    • Instruction ID: 8e938220a023c1bc25b07cc67b3002e79ffb47dcc52b92bf4769b4e297fa47a1
                                                                                                    • Opcode Fuzzy Hash: 927a86265164c0535441894f2159f64a60a7eccd819ee530aedb8e2465de6c3a
                                                                                                    • Instruction Fuzzy Hash: A51133B1C0062A9BCB10CF9AC444B9EFBB4FF48320F15812AD819B7740D738AA45CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0651CCF0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 0651CD63
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680667318.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_6510000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: f277eebbe12596be6e0a407f58e072e9d0fb70f3310ccaf28a1673d67293d5e2
                                                                                                    • Instruction ID: 659fc9ef46dae777c40d5a492147153792c4fa8815cac49db14c2dd1821b05ad
                                                                                                    • Opcode Fuzzy Hash: f277eebbe12596be6e0a407f58e072e9d0fb70f3310ccaf28a1673d67293d5e2
                                                                                                    • Instruction Fuzzy Hash: AB211775D002599FDB10CF9AC484BDEFBF4FB48320F148029E459A7250D378A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065141A0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 06514213
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680667318.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_6510000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: 0336b08d46a16edd2c308c1d6816a5c782af3e42a7013af66afd5ad6df4b1066
                                                                                                    • Instruction ID: eae856e00a17116ee87af63bc41f3eacba1498084e59d7e856c9befdf7ad2b80
                                                                                                    • Opcode Fuzzy Hash: 0336b08d46a16edd2c308c1d6816a5c782af3e42a7013af66afd5ad6df4b1066
                                                                                                    • Instruction Fuzzy Hash: DC21E775D002199FDB10CF9AC884BDEFBF4FB48320F148429E569A7250D774A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E6FE0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 065E704E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: f8db7e61c706353d093cb4e3b16b85d01820f96da1eefcaff44e0b348292444f
                                                                                                    • Instruction ID: 6c8f0a59ee80b2df5b4d84bea5d8744c2ca8bdaf45f10ed8accca050406e0eb4
                                                                                                    • Opcode Fuzzy Hash: f8db7e61c706353d093cb4e3b16b85d01820f96da1eefcaff44e0b348292444f
                                                                                                    • Instruction Fuzzy Hash: 941134729002099FCF14CFAAC844BDFBBF5EF88324F148819E52AA7650C775A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7D5A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 04bb6e432ecae27fbca5983bb47bff63026e9fdce6a29fc771cf05317d2c6d71
                                                                                                    • Instruction ID: 60709449fcf19a379d08dfca0b349bffd942549d4e2f3ce75cc5b7f1d39875f1
                                                                                                    • Opcode Fuzzy Hash: 04bb6e432ecae27fbca5983bb47bff63026e9fdce6a29fc771cf05317d2c6d71
                                                                                                    • Instruction Fuzzy Hash: 621146B59002088BDB14CFAAC4847EEFBF9EF88224F14842DD529A7740CB799945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E7D60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: abdb6da23846b80f158b3929131c93bc96f9afb470e3f7006f3ab9e66f6bd666
                                                                                                    • Instruction ID: 235a15cc28970090fd3ce8759edb6641758aa562308a1537064f25ff91728333
                                                                                                    • Opcode Fuzzy Hash: abdb6da23846b80f158b3929131c93bc96f9afb470e3f7006f3ab9e66f6bd666
                                                                                                    • Instruction Fuzzy Hash: 9B113AB5D002488BDB14DFAAC4447EEFBF4AF88224F148419C519A7740CB74A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E8260 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 065E82C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost
                                                                                                    • String ID:
                                                                                                    • API String ID: 410705778-0
                                                                                                    • Opcode ID: 2722252ccb06c40d570b699d7717b28db970fc70d81ee495c8c69a84ad038e84
                                                                                                    • Instruction ID: 407c4882c9a733819ae602c3d2973e3265c4b1dcfa2d3946cfc5fe289a3dd9e8
                                                                                                    • Opcode Fuzzy Hash: 2722252ccb06c40d570b699d7717b28db970fc70d81ee495c8c69a84ad038e84
                                                                                                    • Instruction Fuzzy Hash: 7E11F2B58006499FDB10CF99C885BEFBFF8FB58324F14841AE855A3600C375A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 065E8268 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 065E82C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.680840987.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_65e0000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost
                                                                                                    • String ID:
                                                                                                    • API String ID: 410705778-0
                                                                                                    • Opcode ID: e97b7bc811ededb91d841fd7d662e50c7df1719d318405e01871e71263cc2e7a
                                                                                                    • Instruction ID: 73493eca61bb94714fd32493fc2e257c2d02ef1d4e06f1e79418554fad687734
                                                                                                    • Opcode Fuzzy Hash: e97b7bc811ededb91d841fd7d662e50c7df1719d318405e01871e71263cc2e7a
                                                                                                    • Instruction Fuzzy Hash: E31100B58002489FDB10CF9AC884BDEBFF8FB48324F14841AE819A3600C375A944CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D3DC Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 77e892fbd1ede98df27ad34451d5a2329deb8c9b38918f909eec0d0c0d56ca01
                                                                                                    • Instruction ID: 9f8786a9ac0308ec2894ba4b4522eeaf1b4facf17df5f607a84952bfe24d589d
                                                                                                    • Opcode Fuzzy Hash: 77e892fbd1ede98df27ad34451d5a2329deb8c9b38918f909eec0d0c0d56ca01
                                                                                                    • Instruction Fuzzy Hash: B6212872504244DFDB04DF10D9C0B66BBA6FB98324F24C5A9E9094B356C336E886CBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D4C8 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8225f39c0b17ea24c951af8c9536a6b14f107de75f9ed414ca54d95054a70598
                                                                                                    • Instruction ID: b91173d1d1ad9b52e095680f8bdfb2992ddc338aeb93c48c113681a2cbc68d1b
                                                                                                    • Opcode Fuzzy Hash: 8225f39c0b17ea24c951af8c9536a6b14f107de75f9ed414ca54d95054a70598
                                                                                                    • Instruction Fuzzy Hash: 16216AB1504200DFCB05CF14D9C0F66BFA6FB98328F6485ADE9090B216C336D886CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00BDD1E8 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.644460376.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_bdd000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f2e6cedc3e0064d4b1ab9e101368314a8fe4cca10a0c3e2d856072e63ff4ce6d
                                                                                                    • Instruction ID: dae29dcab7137077b23f2e72687ed5f0b38ede5719de7b5eed032ead48dc7810
                                                                                                    • Opcode Fuzzy Hash: f2e6cedc3e0064d4b1ab9e101368314a8fe4cca10a0c3e2d856072e63ff4ce6d
                                                                                                    • Instruction Fuzzy Hash: 9A21F5B1604244DFCB04CF50D9C4B26FBA5FB88314F24C9AED9894B356D336D846CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00BDD030 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.644460376.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_bdd000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 241cacdff7d3fdc8fc27da86447d37ce2fe66bfd8021e3a3bbd48d7ef064c90a
                                                                                                    • Instruction ID: 7f27329f6971b9f3275741fcc5c1df847b46890f069cbbbb0e30ce6c43e4c64a
                                                                                                    • Opcode Fuzzy Hash: 241cacdff7d3fdc8fc27da86447d37ce2fe66bfd8021e3a3bbd48d7ef064c90a
                                                                                                    • Instruction Fuzzy Hash: 4321C1B1508244DFCB14DF10D9D0B26FBA5FB84314F24C6AED9894B356D336D846CA61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00BDD005 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.644460376.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_bdd000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 39ec4337318eb15f129a856ec04377925f5115b0b78421364b305b68a264c099
                                                                                                    • Instruction ID: ccc53d04ba3329d47d941724facc86cd1ed07a5d0c3edcfd0c2723c6da02917a
                                                                                                    • Opcode Fuzzy Hash: 39ec4337318eb15f129a856ec04377925f5115b0b78421364b305b68a264c099
                                                                                                    • Instruction Fuzzy Hash: A0214F7550D3C09FCB028B20C9A0715BF71AB46214F2985DBD8898B6A7D33A984ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D3D7 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction ID: cbf9a43d47708b8a463004df1dde8f4afc191e33e7d9fefedd4ab7e5cbd60a3f
                                                                                                    • Opcode Fuzzy Hash: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction Fuzzy Hash: 9C11D676504240DFCB15CF10D5C4B56BFB2FB94324F28C6A9D8450B756C33AD856CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D4C3 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction ID: d8fa66954faa77d6bebf92efcedc8129d0bf361ed6737bf391e66abd4b4c3ede
                                                                                                    • Opcode Fuzzy Hash: 5420d5305238894590119742960248a75d15a15b8639eb191e66ac764d8702b8
                                                                                                    • Instruction Fuzzy Hash: 2211D376504280CFCF15CF10D5C4B56BFB2FB98324F28C6A9D8050B61AC336D896CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00BDD1E3 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.644460376.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_bdd000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50eb2c3a52440a91dc116737e4d910fd79c16869f8b8fc563e5ae3e56bb24798
                                                                                                    • Instruction ID: 1ae3b2c462b5ef42098400aeb3c94066e4808e619ad0078b56054acc44c3f5ae
                                                                                                    • Opcode Fuzzy Hash: 50eb2c3a52440a91dc116737e4d910fd79c16869f8b8fc563e5ae3e56bb24798
                                                                                                    • Instruction Fuzzy Hash: 72117975504284DFCB05CF14D5C4B15FBA1FB88324F28C6AAD8894B756D33AD84ACBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D849 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f73fcd166bc86370cd9ea04a65c80bcf3dafa735c0605f371ec8759615c0336
                                                                                                    • Instruction ID: 7e5ca820cb3b2f5555dd9ac8cd21fb72630dc9fdada5a896c7886391d03dc3e3
                                                                                                    • Opcode Fuzzy Hash: 8f73fcd166bc86370cd9ea04a65c80bcf3dafa735c0605f371ec8759615c0336
                                                                                                    • Instruction Fuzzy Hash: AE012B71508340ABE7109B16CCC4BA6BBD8EF45334F58C59AED095B286C378DC84C6B1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00B1D848 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.643562099.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_b1d000_geater.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0fd61f1ed9028f6b6b334f500f2d40c08d6417a4d84717012e6f724c90015aa6
                                                                                                    • Instruction ID: 3f0225fec43c76453616684c02b2b3c87873fbd2a86f0409c2318515a30a8485
                                                                                                    • Opcode Fuzzy Hash: 0fd61f1ed9028f6b6b334f500f2d40c08d6417a4d84717012e6f724c90015aa6
                                                                                                    • Instruction Fuzzy Hash: 79F0C271404254AEEB108A06CC84BA2FFE8EB55334F18C55AED085B286C3789884CAB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%